Delphi compiled EXE are flagged as malware by anti virus software

[Jaska 6]

Many anti virus software incorrectly flag a Delphi generated EXE as a malware. So they are false positive. Is it so that Delphi is actually used a lot when creating malware or is it that the algorithm that the AV software use are just right. Anyway I am tired explaining customers that the EXE does not contain any malware but this is a false positive. The EXEs that cause these are VCL (30/64-bit) and they are all digitally signed. It does not help too much reporting the AV software because they act too slow and once they register a false positive EXE we already have a new EXE build with a different digital hash.

 

Does anybody know a way to avoid these false positives?

[Patrick PREMARTIN 50]

Each anti virus software editor has a process to send them false positives. If your programs are flagged, send it to them directly for evaluation. You don't have other solutions. We can't bypass this because if we could, virus/malware authors could.

Edited October 13, 2023 by Patrick PREMARTIN

[FPiette 367]

1 hour ago, Jaska said:

Many anti virus software incorrectly flag a Delphi generated EXE as a malware.

I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions.

[dummzeuch 1392]

9 minutes ago, FPiette said:

I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions.

Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware. After trying to correct this once or twice by contacting the antivirus publishers I simply gave up and whitelist it for my computers.

I don't sign my executables and installers though, maybe that would help.

[Patrick PREMARTIN 50]

6 minutes ago, dummzeuch said:

I don't sign my executables and installers though, maybe that would help.

Not sure the signature has any impact : it only say "the detected virus or malware has been added before signing, developer/editor computer is infected"

[JohnLM 10]

I don't know if the OP (or anyone else) are aware of this website for checking files/URL's for nasties, but I use it a lot.  It uses many vendors.  It might be useful for others here. 

 

http://www.virustotal.com/

 

So, I just uploaded a test file I compiled in Delphi 11.2 to this site to see the results I would get. 

It reported 2/62 or 2 out of 62 scans and reported the results, below. 

 

[Lajos Juhász 239]

For me there was only two cases of false positive. The last time it was this year MS Defender flagged application to be infected. MS solved it within 2-3 days.

[FPiette 367]

34 minutes ago, dummzeuch said:

48 minutes ago, FPiette said:

I never had any of my Delphi generated application flagged as malware. I use Delphi since version 1. I used all versions.

Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware.

That probably result of the use of some library or component that your software (GExperts) use and that some viruses are using as well. Or some virus took part of GExperts source code.

I use almost NO external library in my software, I use nearly only my own code. And when using something for elsewhere (VirtualTreeView for example), I never use pre-built dcu nor any runtime package nor any pre-built DLL. I always recompile EVERYTHING.

 

There are also bad anti-virus software that has a lot of false positive because of their poor detection mechanism or their bugs.

[mvanrijnen 121]

i'v had this problem  while back when using the MARS library for example (BitDefender), while others didn't. It's sometimes a weird thing. But there are always have been things about this with Delphi compiled software somehow.

 

[Gord P 5]

I have this same problem with C++ Builder

 

[Sherlock 632]

On 10/13/2023 at 8:15 AM, dummzeuch said:

Then you have been very lucky. Every single GExperts release for the last few years has been flagged as malware. After trying to correct this once or twice by contacting the antivirus publishers I simply gave up and whitelist it for my computers.

I don't sign my executables and installers though, maybe that would help.

I don't think signing is the issue. But consider the sometimes simple heuristics of a virus scanner: DLL = suspicious, file access = suspicious, compiled with Delphi = suspicious. That will generate a warning anywhere... not that its OK, but it is understandable.

[David Heffernan 2300]

Signing would help

[DPStano 15]

Signing with EV certificate helps like magic, we have been fighting with antivirus software for years, and from my testing there is a problem with some functions in system.pas (not sure which one it's been years) that are imported even never used (almost none existent unused code removal in delphi) that trigger antivirus heuristic.

Edited October 16, 2023 by DPStano

[DelphiSpass 0]

My apps are not signed. A self written installer "suddenly" made problems at customers, Defender blocked it.

Reason was that I added more information in the Project Options->Version page.

I removed allmost information from it again, recompiled, and then the customer was able to run the installer again without problems.

Since then, I let these fields empty, see green marked in the attached picture. Hope it helps.

However, signing is for sure a good idea.

[Sherlock 632]

I think it is not filling the fields themselves, but the words used to fill them. Some "Heuristics" are really just that simple. Take Windows UAC installer detection for example. If an exes name contains Install, setup or even patch it will automatically need to be run with elevated privileges. If however you provide a manifest requesting a non elevated execution level the UAC will not elevate.

[Attila Kovacs 617]

Report them as false positive, include the exe.

[TonyB 3]

Are you using an EXE compressor such as AsPack by any chance? AV programs don't like compressed executables.