How to prevent false positive virus alarm on my software? [duplicate]

末鹿安然 提交于 2019-12-17 16:27:40

问题


Possible Duplicate:
Antivirus False positive in my executable

Until now, I had over 15 false virus alarms for my programs. Most of them were from Kaspersky, which reports ALWAYS the same virus: Trojan-GameThief.Win32.Lmir.pcd. There are 3 questions:

  1. Why it appears?
  2. How to prevent it?
  3. How to detect it?

For the first question, because it detects always the same virus, I guess it is because one of my routines that I use in all my programs. But which one exactly, I don't know. For the second question I was thinking about modifying the program just a bit and recompiling it, just enough to change its code so the antivirus will not recognize it anymore and release the new version. The third question is the most difficult one. How to check ALL my programs against ALL antivirus programs in the world?


Update:
Has anybody knowledge about how this issue can be handled legally? There seems that many Delphi developers have the same problem. The reckless antivirus companies make money on our back by showing lots of false positive alarms, making their customers to think they are safe when there was actually no danger. While we are losing customers - they are making customers. I informed the antivirus company about the problem but they fix it only for that specific version. Next time I release an update, the false alarm appears again. They just don't care.

Many honest developers have problems because of careless antivirus software. See this also: How to prevent false positive virus alarm on my software?

Maybe we can unite against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them. We should sign a petition to let them know that we don't accept this anymore.

Update 2017
* Last week my program had a detection ratio of close to 50% on VirusTotal. I deleted a single line of code and magically the detection dropped to 2 out of 61 (antiviruses). It is amazing how random these antivirus products behave.
* Detection is MUCH higher when the program is compiled is 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
* Detection sky rockets when EurekaLog is used.

Update 2019
It is almost 9 years later and not much improved.
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive!

Conclusion:

  • At the end of the day upload your exe file to VirusTotal. If the detection ratio suddenly jumps, review the changes you have done in your code and remove the "harmful" ones.
  • Use WinRar 3 as installer. It raises less flags than WinRar 5 or InnoSetup.

回答1:


First, make sure that you do not have the Win32.Induc delphi virus, which changes SysConst.dcu so that applications you compile will be infected.

  1. Use #3 to narrow down what in your code is causing the false positive. API calls which change process memory will trigger heuristic scanners. Even including the names of some of the API functions (such as WriteProcessMemory) will trigger a scanner. Make changes to a test application and submit to #3 until you narrow the problem down. If you use a packer, then the AV software will probably unpack it anyway, but test with and without packing.

  2. Will depend on #1.

  3. Virustotal is used by virus developers to check their virus is not detected, so Virustotal will send any test file to the anti-virus people for analysis. There used to be an option to switch this off, but it was removed several years ago. This can make the problem worse for you if you submit an application multiple times, so I would recommend using http://virusscan.jotti.org/ for your initial testing.




回答2:


3rd question: There is a website called virus total which scans files with lots of antivirus engines. They have an api, so you can make this part of your build process.

also, some similar questions might help:

Antivirus False positive in my executable

Virus in Delphi 7

https://stackoverflow.com/questions/3534050/my-software-is-not-a-virus-what-should-i-do (Snapshot of deleted question)

Accidentally created a virus?



来源:https://stackoverflow.com/questions/4237534/how-to-prevent-false-positive-virus-alarm-on-my-software

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!