Jaska 7 Posted October 13, 2023 Many anti virus software incorrectly flag a Delphi generated EXE as a malware. So they are false positive. Is it so that Delphi is actually used a lot when creating malware or is it that the algorithm that the AV software use are just right. Anyway I am tired explaining customers that the EXE does not contain any malware but this is a false positive. The EXEs that cause these are VCL (30/64-bit) and they are all digitally signed. It does not help too much reporting the AV software because they act too slow and once they register a false positive EXE we already have a new EXE build with a different digital hash. Does anybody know a way to avoid these false positives? Share this post Link to post
Patrick PREMARTIN 74 Posted October 13, 2023 (edited) Each anti virus software editor has a process to send them false positives. If your programs are flagged, send it to them directly for evaluation. You don't have other solutions. We can't bypass this because if we could, virus/malware authors could. Edited October 13, 2023 by Patrick PREMARTIN Share this post Link to post
FPiette 383 Posted October 13, 2023 1 hour ago, Jaska said: Many anti virus software incorrectly flag a Delphi generated EXE as a malware. I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions. Share this post Link to post
dummzeuch 1505 Posted October 13, 2023 9 minutes ago, FPiette said: I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions. Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware. After trying to correct this once or twice by contacting the antivirus publishers I simply gave up and whitelist it for my computers. I don't sign my executables and installers though, maybe that would help. 1 Share this post Link to post
Patrick PREMARTIN 74 Posted October 13, 2023 6 minutes ago, dummzeuch said: I don't sign my executables and installers though, maybe that would help. Not sure the signature has any impact : it only say "the detected virus or malware has been added before signing, developer/editor computer is infected" Share this post Link to post
JohnLM 14 Posted October 13, 2023 I don't know if the OP (or anyone else) are aware of this website for checking files/URL's for nasties, but I use it a lot. It uses many vendors. It might be useful for others here. http://www.virustotal.com/ So, I just uploaded a test file I compiled in Delphi 11.2 to this site to see the results I would get. It reported 2/62 or 2 out of 62 scans and reported the results, below. Share this post Link to post
Lajos Juhász 293 Posted October 13, 2023 For me there was only two cases of false positive. The last time it was this year MS Defender flagged application to be infected. MS solved it within 2-3 days. Share this post Link to post
FPiette 383 Posted October 13, 2023 34 minutes ago, dummzeuch said: 48 minutes ago, FPiette said: I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions. Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware. That probably result of the use of some library or component that your software (GExperts) use and that some viruses are using as well. Or some virus took part of GExperts source code. I use almost NO external library in my software, I use nearly only my own code. And when using something for elsewhere (VirtualTreeView for example), I never use pre-built dcu nor any runtime package nor any pre-built DLL. I always recompile EVERYTHING. There are also bad anti-virus software that has a lot of false positive because of their poor detection mechanism or their bugs. Share this post Link to post
mvanrijnen 123 Posted October 13, 2023 i'v had this problem while back when using the MARS library for example (BitDefender), while others didn't. It's sometimes a weird thing. But there are always have been things about this with Delphi compiled software somehow. Share this post Link to post
Gord P 14 Posted October 13, 2023 I have this same problem with C++ Builder Share this post Link to post
Sherlock 663 Posted October 14, 2023 On 10/13/2023 at 8:15 AM, dummzeuch said: Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware. After trying to correct this once or twice by contacting the antivirus publishers I simply gave up and whitelist it for my computers. I don't sign my executables and installers though, maybe that would help. I don't think signing is the issue. But consider the sometimes simple heuristics of a virus scanner: DLL = suspicious, file access = suspicious, compiled with Delphi = suspicious. That will generate a warning anywhere... not that its OK, but it is understandable. Share this post Link to post
DPStano 15 Posted October 16, 2023 (edited) Signing with EV certificate helps like magic, we have been fighting with antivirus software for years, and from my testing there is a problem with some functions in system.pas (not sure which one it's been years) that are imported even never used (almost none existent unused code removal in delphi) that trigger antivirus heuristic. Edited October 16, 2023 by DPStano Share this post Link to post
DelphiSpass 0 Posted April 9 My apps are not signed. A self written installer "suddenly" made problems at customers, Defender blocked it. Reason was that I added more information in the Project Options->Version page. I removed allmost information from it again, recompiled, and then the customer was able to run the installer again without problems. Since then, I let these fields empty, see green marked in the attached picture. Hope it helps. However, signing is for sure a good idea. Share this post Link to post
Sherlock 663 Posted April 9 I think it is not filling the fields themselves, but the words used to fill them. Some "Heuristics" are really just that simple. Take Windows UAC installer detection for example. If an exes name contains Install, setup or even patch it will automatically need to be run with elevated privileges. If however you provide a manifest requesting a non elevated execution level the UAC will not elevate. Share this post Link to post
Attila Kovacs 629 Posted April 9 Report them as false positive, include the exe. Share this post Link to post
TonyB 3 Posted April 10 Are you using an EXE compressor such as AsPack by any chance? AV programs don't like compressed executables. 1 Share this post Link to post