Trojan:Script/Sabsik.TE.A!ml detected (false positive of course)
Hi,
I don't know if I can post here. But.. here it goes.
I'm using Delphi 10.4.2
[Context] I built a small application 23MB to query several databases using fireDac (Oracle, SQL Server, MySQL, Interbase, Firebird and PostgreSQL for now, I might add support for other engine).
The application checks if there's an update and notifies the users. The first check is done after 5 minutes.
No database connection is done at startup.
The application is available in 32 and 64bit [The problem] I'm doing some pre-public release with some friends. I'm sending them the 32bit version (compiled with Release, no debug, no madexcept, all default release options).
I'm connecting to his computer using remote desktop, and I'm copying form my machine to his (Copy/Paste). Both are running Windows 10 Pro with latest updates.
When the application is ran the first time, windows defender pops a screen notifying the user some actions are taken to prevent infection. The program opens, runs ( we can actually connect to database and runs some queries), and closes normally.
The application won't run a second time. Windows pops a screen saying the application contains a virus, and shortly after, the application is deleted (quarantined). Well, for the fun I send the 64bit version release, no debug, no madexpects all default features. Copied the same way (via RDP copy/paste ) and the program ran smoothly. Windows defender didn't detect a thing. And my friend connected to the databases he have and tested the program for hours without any problem. Closed and Reopened it several times without any problems.
I recompiled the 32bit version in debug mode (over 72MB executable). Copied the same way and windows defender didn't detect anything. Again running for hours, querying against several databases...
I start changing some of the default Release options, and after setting [Runtime errors -> I/O checking] = false the 32bit version behaved as expected. I uploaded every version compiled in my machine to virus total and nothing was detected. (even the 32bit version windows defender didn't like)
I uploaded every version copied to my friend machine to virus total and nothing was detected. So I can assume is a false positive... but that is a nasty Trojan!!
This is why I started this post with the context. Since It connects to databases and checks for updates some antivirus might confuse those connections as "trojan invasion". But, as I said, no communication is done at start-time. Is there anything I can do?
Has anyone had a problem like this one. (I'm not using any compressor, just plain vanilla executable generated from the IDE). Thanks, Clément --------------------- Trojan:Script/Sabsik.TE.A!ml Nível de alerta: Grave
Status: Active Data: 01/09/2021 20:01
Categoria: Cavalo de Tróia (Trojan Horse)
Detalhes: Este programa é perigoso e executa os comandos de um invasor. (This application is dangerous and execute command of an invader). Itens afetados: file: E:\Clement\ckwel.exe
I'm using Delphi 10.4.2
[Context] I built a small application 23MB to query several databases using fireDac (Oracle, SQL Server, MySQL, Interbase, Firebird and PostgreSQL for now, I might add support for other engine).
The application checks if there's an update and notifies the users. The first check is done after 5 minutes.
No database connection is done at startup.
The application is available in 32 and 64bit [The problem] I'm doing some pre-public release with some friends. I'm sending them the 32bit version (compiled with Release, no debug, no madexcept, all default release options).
I'm connecting to his computer using remote desktop, and I'm copying form my machine to his (Copy/Paste). Both are running Windows 10 Pro with latest updates.
When the application is ran the first time, windows defender pops a screen notifying the user some actions are taken to prevent infection. The program opens, runs ( we can actually connect to database and runs some queries), and closes normally.
The application won't run a second time. Windows pops a screen saying the application contains a virus, and shortly after, the application is deleted (quarantined). Well, for the fun I send the 64bit version release, no debug, no madexpects all default features. Copied the same way (via RDP copy/paste ) and the program ran smoothly. Windows defender didn't detect a thing. And my friend connected to the databases he have and tested the program for hours without any problem. Closed and Reopened it several times without any problems.
I recompiled the 32bit version in debug mode (over 72MB executable). Copied the same way and windows defender didn't detect anything. Again running for hours, querying against several databases...
I start changing some of the default Release options, and after setting [Runtime errors -> I/O checking] = false the 32bit version behaved as expected. I uploaded every version compiled in my machine to virus total and nothing was detected. (even the 32bit version windows defender didn't like)
I uploaded every version copied to my friend machine to virus total and nothing was detected. So I can assume is a false positive... but that is a nasty Trojan!!
This is why I started this post with the context. Since It connects to databases and checks for updates some antivirus might confuse those connections as "trojan invasion". But, as I said, no communication is done at start-time. Is there anything I can do?
Has anyone had a problem like this one. (I'm not using any compressor, just plain vanilla executable generated from the IDE). Thanks, Clément --------------------- Trojan:Script/Sabsik.TE.A!ml Nível de alerta: Grave
Status: Active Data: 01/09/2021 20:01
Categoria: Cavalo de Tróia (Trojan Horse)
Detalhes: Este programa é perigoso e executa os comandos de um invasor. (This application is dangerous and execute command of an invader). Itens afetados: file: E:\Clement\ckwel.exe