Why does AVG(antivirus) detect an executable produced from Dev-C++ as a virus?

╄→гoц情女王★ 提交于 2019-12-04 03:44:48

Why is AVG labeling my C++ program a virus?

For example, here is a C++ program that AVG detects as a virus:

#include <cstdlib>
#include <iostream>
using namespace std;
int main(int argc, char** argv) {
    cout << "done";
    return 0;
}

Running the executable, I get AVG popup window with this text:

AVG Resident Shield Alert
Threat detected!
File name: c:\Documents and Settings\eleschinski\Desktop\workspace\CppApplication_2\dist\Debug\MinGW-Windows\cppapplication_2.exe
Threat name:  Trojan horse Agent3.CJAI (More Info)
Move to Vault (Reccommended)
Go to file
Ignore the threat

Screenshot of what AVG does:

Summary, What's going on here?

AVG antivirus is a program that runs on your computer that uses Heuristics and other imprecise algorithms to identify which programs have unwanted evil agendas. AVG is taking as input the contents of your executable file, and decided that your program is unsafe.

Antivirus writers are using the Enumerating Badness strategy to identify malware in the world, and it is coming back to bite them because this is the wrong approach to the problem of detecting malware. One problem with Enumerating Badness is the false positives, the problem you experience now.

Steps to take to get a better understanding of the problem:

Step 1. First you want to be very sure what file that AVG is complaining about. To do this, go to AVG -> Tools menu -> scan file. Choose the offending executable or file defined in your threat window. AVG will scan the file instantly and recommend to add it to the vault. At this point you can know AVG thinks this file alone is the malware.

Step 2. Get a second opinion about this malware/virus file, better yet, get 50 independent second opinions. Go to the website https://www.virustotal.com, there you can upload your file for free, and it will be analyzed by about 50 different antivirus programs, if the majority of them think it is a virus, then AVG has done well. But if only a few antiviruses label your file as evil, then it's possible that AVG has a false positive.

Step 3. An easy way to convince AVG that your C++ program is safe is to add the c++ statement: system("pause"); in the beginning of your C++ program and recompiling and re-running. For me, AVG then warns me about it, I click ignore, then it lets me run it anyway. Also, try using 'return 1' instead of 'return 0' at the end of your main function. It will let you run it. If that seems bizarre, it is. Virus writers are smarter than antivirus writers by getting antivirus software to see to many false positives.

Step 4. See if you can white-list your program. Go into the "Virus Vault" in AVG. AVG -> History menu -> Virus Vault. Find the line items that represent your offending C++ program and release them from the virus vault, or white list them, and try again.

Solutions:

Option 1: Acknowledge that the virus writers are winning the war against antivirus software. It's easier to hide something than it is to survey everything and spot all badness. AVG can't tell the difference between a legitimate virus and some c++ program you just made. Get new antivirus software, or get an operating system that doesn't need antivirus software (linux), or go without antivirus software all together and keeps lots of offline offsite backups.

Option 2: Tell AVG to stop analyzing files with .EXE extensions. WARNING this will decrease AVG's ability to protect your computer from real viruses/malware. Go to AVG console -> Tools -> Advanced Settings -> Anti Virus -> Resident Shield -> Expert Settings. You will see a textbox with a label: "always scan files with the following extensions". Remove the EXE; from that textbox. Save and try re-running your program. AVG will no longer complain about your something.exe executable.

Option 3: Fiddle with your C++ program until it stops being labelled a virus. Add some #include libraries, excluding some other ones. An inconsequential change could make all the difference in AVG deciding your file is malignant.

and if anyone from AVG is interested in chasing this bug down, here is the false positive executable for the above

Maybe this will lighten the whole thing as it seems that AVG somehow doesn't like the combination of a (probably) older version of gcc (As Dev-C++ isn't on development anymore) and an empty program.

When you Google "define EXIT_SUCCESS" you will see that it should be "0".

Try to decompile your executable file using IDA Pro Disassembler + Hex Rays Decompiler and see what is really going on there :)

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!