Jump to content
stan rydzewski

Virus? How odd.

Recommended Posts

Greetings.  

 

I briefly used Delphi at a job I had a few years ago.   Well just this week I had a desire to create some simple windows forms programs for personal use.  Seeking to avoid the overhead of .net,  I thought of Delphi. 

I downloaded the community edition and created a quick 'hello world' sort of program as a proof of concept.  I made an exe of it which seems to run fine from explorer. 

 

I went to send it to myself via gmail to see if I could run it on a machine that didn't have delphi installed.  gmail immediately flagged it as a virus! 

 

Suspecting gmail being at fault here, I uploaded the exe to virustotal and some of the scanners they use also thought it was suspicious.  Here's the analysis  https://www.virustotal.com/gui/file/2de98571dce1bb9627b2e754aca05d57961e89a93f0924f76bd51622a891d362/detection

 

Now, do I think there is a virus?  No.  Avast and windows both think my machine is clean and I've added nothing to delphi itself.  I literally just downloaded it from embarcadero and made this file with it.  So I guess my question is more, can I control the make process in such as way as to remove the threatening behavior, which seems to involved stopping a windows process.  (Which sounds dodgy, I suppose, but maybe it's something Delphi does for debugging?)  You can read about why it is being flagged  on the evaluation linked to above.)

 

I'd love to hear any thoughts on this.  Thanks for reading.

Share this post


Link to post

don't use gmail for transferring exe's, there is no MTA on the world letting exe's through

use defender

move on

 

 

 

 

Edited by Attila Kovacs
  • Like 1

Share this post


Link to post

I'm surprised that GMail actually lets you transfer any executable (or even zip file containing an executable). Last time I tried it simply refused to accept that attachment.

 

As for virus scanners flagging Delphi executables as viruses: That happens to me regularly and I got tired of trying to get these false positives to be removed. Good thing I'm not making my living from selling software.

Share this post


Link to post

Nothing new, use to be Norton and McAfee, that would mess with ALL Delphi apps, haven't seen any troubles with the big ones in a while.

It's only a few that have their patterns wrong, i wouldn't worry, anti-virus is a double edge sword, cuts both ways sometimes.

If it does affect you, then contact the anti-virus makers and get them straight.

 

rename your exe to .txt and then zip it up, just maybe it might get through email, but it's a big maybe, easier to drop it in some cloud storage.

Share this post


Link to post

I would first make sure that the WMIADAP.EXE is not a virus.  This file is mentioned on your link to Virustotal.com (tab Behavior):

\\?\C:\Windows\system32\wbem\WMIADAP.EXE

 

But as written here:

https://www.howto-connect.com/fix-wmiadap-exe-windows-10/

 

"If you find that it is located in the following directory then it is not a malware and the system is safe."
C:\Windows\System32\wbem\files
 
And on other sites often write:
" Some malware camouflages itself as WMIADAP.exe, particularly when located in the C:\Windows or C:\Windows\System32 folder. Therefore, you should check the WMIADAP.exe process on your PC to see if it is a threat"
 
 
Edited by PaPaNi

Share this post


Link to post
5 hours ago, dummzeuch said:

I'm surprised that GMail actually lets you transfer any executable (or even zip file containing an executable). Last time I tried it simply refused to accept that attachment.

 

As for virus scanners flagging Delphi executables as viruses: That happens to me regularly and I got tired of trying to get these false positives to be removed. Good thing I'm not making my living from selling software.

I just tried a few options right now. As an example, i tried to send the file ss.exe ( this is a installation file of one program CodeStuff Starter, but it is not important. Important here is filename and extention)

1. sending ss.exe - dont work. Its not allowed to send: ADE, ADP, .APK, APPX, APPXBUNDLE, BAT, CAB, CHM, CMD, COM, CPL, DLL, DMG, EX, EX_, EXE, HTA, INS, ISP, ISO, JAR, JS, JSE, LIB, LNK, MDE, MSC, MSI, MSIX, MSIXBUNDLE, MSP, MST, NSH, PIF, PS1, SCR, SCT, SHB, SYS, VB, VBE, VBS, VXD, WSC, WSF, WSH.

2. renaming executable into ss.dat - dont work

3. "zipping" executable - ss.zip - dont work

4. renaming into ss.dat and "zipping" - dont work

5. "zipping" and splitting executable - we have 4 files now: ss.z01, ss.z02, ss.z03 and ss.zip - dont work

6. renaming into ss.dat, "zipping" and splitting - again 4 files: ss.z01, ss.z02, ss.z03 and ss.zip -  dont work

6.1. i tried also using format RAR for archiving (with all modifications like before - renaming, splitting etc.) - dont work

6.2 i tried to set archiv into archiv - dont work - "nested" archives are not allowed

7. open StarterSetup.exe with HxD and replace first "M" => "N" - dont work

8. open StarterSetup.exe with HxD and replace first "M" => "N" and now rename file into ss.dat - ITS WORKS!!!

later received file again open and replace "N" => "M" => we have our executable again.

 

 

Share this post


Link to post
9 hours ago, stan rydzewski said:

Now, do I think there is a virus?  No.  Avast and windows both think my machine is clean and I've added nothing to delphi itself.  I literally just downloaded it from embarcadero and made this file with it.  So I guess my question is more, can I control the make process in such as way as to remove the threatening behavior, which seems to involved stopping a windows process.  (Which sounds dodgy, I suppose, but maybe it's something Delphi does for debugging?)  You can read about why it is being flagged  on the evaluation linked to above.)

 

I'd love to hear any thoughts on this.  Thanks for reading.

This thread may be of interest to you - 

 

Share this post


Link to post
20 hours ago, stan rydzewski said:

Greetings.  

 

I briefly used Delphi at a job I had a few years ago.   Well just this week I had a desire to create some simple windows forms programs for personal use.  Seeking to avoid the overhead of .net,  I thought of Delphi. 

I downloaded the community edition and created a quick 'hello world' sort of program as a proof of concept.  I made an exe of it which seems to run fine from explorer. 

 

I went to send it to myself via gmail to see if I could run it on a machine that didn't have delphi installed.  gmail immediately flagged it as a virus! 

 

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE, but it would not flag the 32 bit release version of the same program and neither 64 bit debug or release versions.

By the way: to send an EXE through a mail server put it into a ZIP file and password-protect that. The encryption done will make a virus scanner ignore it since it cannot identify the zipped file as executable. Some particularly paranoid mail servers will reject password-protected zip files for this reason, though.

Share this post


Link to post
50 minutes ago, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE, but it would not flag the 32 bit release version of the same program and neither 64 bit debug or release versions.

By the way: to send an EXE through a mail server put it into a ZIP file and password-protect that. The encryption done will make a virus scanner ignore it since it cannot identify the zipped file as executable. Some particularly paranoid mail servers will reject password-protected zip files for this reason, though. 

I tried right now to put Exe into Zip and to send with gmail. Its dont work on me.

How i understood, its a not allowed to send zip files with password-protect. I cant to show screenshot, becose text of hint is not on english language.

Edited by PaPaNi

Share this post


Link to post

Welcome to assisted emailing, a new service brought to you by the people who invented the seat belt beep.

  • Like 1

Share this post


Link to post

Couldnt determine the cause from the link but have heard that some bad guys use delphi to create bad things and so heuristic virus checkers sometimes infer an image as similar to another bad thing...have experienced that with our products.

Share this post


Link to post

Thanks everyone for the replies.  I'm 99% sure all is well but I think to be totally sure I'll copy the source files to a different machine and see if the same thing happens from there.

Share this post


Link to post
On 2/13/2022 at 3:21 AM, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus and quarantine it before I could debug it under the IDE

This is why you should configure your AntiVirus/AntiMalware to ignore compiler output folders as exceptions.

 

Share this post


Link to post
On 2/13/2022 at 12:21 PM, PeterBelow said:

I had a similar problem with Delphi Alexandria, McAfee would detect a freshly build Win32 debug EXE as virus

Issue is not Delphi Alexandria but that piece of ga... wonderful McAffee.

 

I remember removing viruses by hand from multiple servers because the freshly updated McAfee failed to recognize a ~5 yo worm. We knew it worked because it always quarantined our patching tool.

At work ESET, at home M$ Defender (AntiMalware, Security... idk how it's called nowadays) works just fine. The only reason we excluded Delphi executables is to speed up the building process on dev PCs.

  • Like 1

Share this post


Link to post

I gave up trying to send these files via email ages ago. Most MTAs have squeezed down the size of attachments they'll deliver to 25MB, which even makes sending PPTs and some PDFs dicey.

 

Most places I've worked really crank down on this stuff, and insist everything be sent using links to things in SharePoint or version control.

 

Personally, I use Dropbox to host files and send links to folders or files there. Some places block Dropbox, some block all outside URLs. So you finagle the text so it doesn't recognize it as a URL.

 

Curiously, a lot of places I've worked at that have ridiculously tight security have no problem letting you access Dropbox directly in your browser, and some even allow you to run the Dropbox app on the computer.

Share this post


Link to post
8 hours ago, Remy Lebeau said:

This is why you should configure your AntiVirus/AntiMalware to ignore compiler output folders as exceptions.

 

If I only could; McAfee rermoved that ability some years ago, one can only exempt specific EXEs now, and that is automatically removed if the EXE changes. I would not recomment McAfee for developer PCs for this reason, although it is a good product otherwise, IMO (a bit pricey, though). I can live with it since I don't program for a living and these false detections are rare.

Share this post


Link to post
On 2/15/2022 at 3:49 AM, PeterBelow said:

McAfee rermoved that ability some years ago

I never liked McAfree.

  • Like 2

Share this post


Link to post
Guest

Kasperky IS 2020/21/22 (last updates) do it too!

just put the output folder on restriction and "almost all" goes right.

... sometiiiiiiiiiimes, ... can fail too.

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×