Virus? How odd.

[stan rydzewski 0]

Greetings.  

 

I briefly used Delphi at a job I had a few years ago.   Well just this week I had a desire to create some simple windows forms programs for personal use.  Seeking to avoid the overhead of .net,  I thought of Delphi. 

I downloaded the community edition and created a quick 'hello world' sort of program as a proof of concept.  I made an exe of it which seems to run fine from explorer. 

 

I went to send it to myself via gmail to see if I could run it on a machine that didn't have delphi installed.  gmail immediately flagged it as a virus! 

 

Suspecting gmail being at fault here, I uploaded the exe to virustotal and some of the scanners they use also thought it was suspicious.  Here's the analysis  https://www.virustotal.com/gui/file/2de98571dce1bb9627b2e754aca05d57961e89a93f0924f76bd51622a891d362/detection

 

Now, do I think there is a virus?  No.  Avast and windows both think my machine is clean and I've added nothing to delphi itself.  I literally just downloaded it from embarcadero and made this file with it.  So I guess my question is more, can I control the make process in such as way as to remove the threatening behavior, which seems to involved stopping a windows process.  (Which sounds dodgy, I suppose, but maybe it's something Delphi does for debugging?)  You can read about why it is being flagged  on the evaluation linked to above.)

 

I'd love to hear any thoughts on this.  Thanks for reading.

[Attila Kovacs 629]

don't use gmail for transferring exe's, there is no MTA on the world letting exe's through

use defender

move on

 

 

 

 

Edited February 12, 2022 by Attila Kovacs

[dummzeuch 1505]

I'm surprised that GMail actually lets you transfer any executable (or even zip file containing an executable). Last time I tried it simply refused to accept that attachment.

 

As for virus scanners flagging Delphi executables as viruses: That happens to me regularly and I got tired of trying to get these false positives to be removed. Good thing I'm not making my living from selling software.

[qubits 20]

Nothing new, use to be Norton and McAfee, that would mess with ALL Delphi apps, haven't seen any troubles with the big ones in a while.

It's only a few that have their patterns wrong, i wouldn't worry, anti-virus is a double edge sword, cuts both ways sometimes.

If it does affect you, then contact the anti-virus makers and get them straight.

 

rename your exe to .txt and then zip it up, just maybe it might get through email, but it's a big maybe, easier to drop it in some cloud storage.

[PaPaNi 23]

I would first make sure that the WMIADAP.EXE is not a virus.  This file is mentioned on your link to Virustotal.com (tab Behavior):

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

 

But as written here:

https://www.howto-connect.com/fix-wmiadap-exe-windows-10/

 

"If you find that it is located in the following directory then it is not a malware and the system is safe."

C:\Windows\System32\wbem\files

 

And on other sites often write:

" Some malware camouflages itself as WMIADAP.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder. Therefore, you should check the WMIADAP.exe process on your PC to see if it is a threat"

 

 

Edited February 12, 2022 by PaPaNi

[PaPaNi 23]

5 hours ago, dummzeuch said:

I'm surprised that GMail actually lets you transfer any executable (or even zip file containing an executable). Last time I tried it simply refused to accept that attachment.

 

As for virus scanners flagging Delphi executables as viruses: That happens to me regularly and I got tired of trying to get these false positives to be removed. Good thing I'm not making my living from selling software.

I just tried a few options right now. As an example, i tried to send the file ss.exe ( this is a installation file of one program CodeStuff Starter, but it is not important. Important here is filename and extention)

1. sending ss.exe - dont work. Its not allowed to send: ADE, ADP, .APK, APPX, APPXBUNDLE, BAT, CAB, CHM, CMD, COM, CPL, DLL, DMG, EX, EX_, EXE, HTA, INS, ISP, ISO, JAR, JS, JSE, LIB, LNK, MDE, MSC, MSI, MSIX, MSIXBUNDLE, MSP, MST, NSH, PIF, PS1, SCR, SCT, SHB, SYS, VB, VBE, VBS, VXD, WSC, WSF, WSH.

2. renaming executable into ss.dat - dont work

3. "zipping" executable - ss.zip - dont work

4. renaming into ss.dat and "zipping" - dont work

5. "zipping" and splitting executable - we have 4 files now: ss.z01, ss.z02, ss.z03 and ss.zip - dont work

6. renaming into ss.dat, "zipping" and splitting - again 4 files: ss.z01, ss.z02, ss.z03 and ss.zip -  dont work

6.1. i tried also using format RAR for archiving (with all modifications like before - renaming, splitting etc.) - dont work

6.2 i tried to set archiv into archiv - dont work - "nested" archives are not allowed

7. open StarterSetup.exe with HxD and replace first "M" => "N" - dont work

8. open StarterSetup.exe with HxD and replace first "M" => "N" and now rename file into ss.dat - ITS WORKS!!!

later received file again open and replace "N" => "M" => we have our executable again.

 

 

[Dale M 4]

9 hours ago, stan rydzewski said:

Now, do I think there is a virus?  No.  Avast and windows both think my machine is clean and I've added nothing to delphi itself.  I literally just downloaded it from embarcadero and made this file with it.  So I guess my question is more, can I control the make process in such as way as to remove the threatening behavior, which seems to involved stopping a windows process.  (Which sounds dodgy, I suppose, but maybe it's something Delphi does for debugging?)  You can read about why it is being flagged  on the evaluation linked to above.)

 

I'd love to hear any thoughts on this.  Thanks for reading.

This thread may be of interest to you - 

 

[PeterBelow 238]

20 hours ago, stan rydzewski said:

Greetings.  

 

I briefly used Delphi at a job I had a few years ago.   Well just this week I had a desire to create some simple windows forms programs for personal use.  Seeking to avoid the overhead of .net,  I thought of Delphi. 

I downloaded the community edition and created a quick 'hello world' sort of program as a proof of concept.  I made an exe of it which seems to run fine from explorer. 

 

I went to send it to myself via gmail to see if I could run it on a machine that didn't have delphi installed.  gmail immediately flagged it as a virus! 

 

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE, but it would not flag the 32 bit release version of the same program and neither 64 bit debug or release versions.

By the way: to send an EXE through a mail server put it into a ZIP file and password-protect that. The encryption done will make a virus scanner ignore it since it cannot identify the zipped file as executable. Some particularly paranoid mail servers will reject password-protected zip files for this reason, though.

[PaPaNi 23]

50 minutes ago, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE, but it would not flag the 32 bit release version of the same program and neither 64 bit debug or release versions.

By the way: to send an EXE through a mail server put it into a ZIP file and password-protect that. The encryption done will make a virus scanner ignore it since it cannot identify the zipped file as executable. Some particularly paranoid mail servers will reject password-protected zip files for this reason, though. 

I tried right now to put Exe into Zip and to send with gmail. Its dont work on me.

How i understood, its a not allowed to send zip files with password-protect. I cant to show screenshot, becose text of hint is not on english language.

Edited February 13, 2022 by PaPaNi

[dummzeuch 1505]

Welcome to assisted emailing, a new service brought to you by the people who invented the seat belt beep.

[jsjr 0]

Couldnt determine the cause from the link but have heard that some bad guys use delphi to create bad things and so heuristic virus checkers sometimes infer an image as similar to another bad thing...have experienced that with our products.

[stan rydzewski 0]

Thanks everyone for the replies.  I'm 99% sure all is well but I think to be totally sure I'll copy the source files to a different machine and see if the same thing happens from there.

[Remy Lebeau 1392]

On 2/13/2022 at 3:21 AM, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE

This is why you should configure your AntiVirus/AntiMalware to ignore compiler output folders as exceptions.

 

[aehimself 396]

On 2/13/2022 at 12:21 PM, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus

Issue is not Delphi Alexandria but that piece of ga... wonderful McAffee.

 

I remember removing viruses by hand from multiple servers because the freshly updated McAfee failed to recognize a ~5 yo worm. We knew it worked because it always quarantined our patching tool.

At work ESET, at home M$ Defender (AntiMalware, Security... idk how it's called nowadays) works just fine. The only reason we excluded Delphi executables is to speed up the building process on dev PCs.

[David Schwartz 426]

I gave up trying to send these files via email ages ago. Most MTAs have squeezed down the size of attachments they'll deliver to 25MB, which even makes sending PPTs and some PDFs dicey.

 

Most places I've worked really crank down on this stuff, and insist everything be sent using links to things in SharePoint or version control.

 

Personally, I use Dropbox to host files and send links to folders or files there. Some places block Dropbox, some block all outside URLs. So you finagle the text so it doesn't recognize it as a URL.

 

Curiously, a lot of places I've worked at that have ridiculously tight security have no problem letting you access Dropbox directly in your browser, and some even allow you to run the Dropbox app on the computer.

[PeterBelow 238]

8 hours ago, Remy Lebeau said:

This is why you should configure your AntiVirus/AntiMalware to ignore compiler output folders as exceptions.

 

If I only could; McAfee rermoved that ability some years ago, one can only exempt specific EXEs now, and that is automatically removed if the EXE changes. I would not recomment McAfee for developer PCs for this reason, although it is a good product otherwise, IMO (a bit pricey, though). I can live with it since I don't program for a living and these false detections are rare.

[Remy Lebeau 1392]

On 2/15/2022 at 3:49 AM, PeterBelow said:

McAfee rermoved that ability some years ago

I never liked McAfree.

[Guest]

Kasperky IS 2020/21/22 (last updates) do it too!

just put the output folder on restriction and "almost all" goes right.

... sometiiiiiiiiiimes, ... can fail too.