Accidentally created a virus?

Question

I\'ve seen it happen reasonably often: I write an application in Delphi and when I compile it, the virus-scanner tells me that I\'ve created a virus and then immediately del

Answer 1

Do these false positives also occur with other compilers?

Yes, this is has been a common problem in the past for AutoIt as addressed in this forum post "Are my AutoIt EXEs really infected?". In most cases including AutoIt it stems from poor heuristic practices. Since AutoIt uses the free and open UPX compressor, it is often mistaken for malicious code that also uses UPX.

The best (and possibly only) thing you can do is report these mistakes, so they can refine their heuristics or at least white list your app.

Below is a list of contact information for some popular anti-virus companies. They all claim to appreciate submissions as it helps them make their product better.

• AntiVir - Contact
• A2 (A-Squared) - Contact (email address)
• Avast! - Contact
• AVG - Contact
• BitDefender - Contact
• BullGuard - Contact
• CA Anti-Virus - Contact
• ClamAV - Contact
• ClamWin - Contact
• Comodo - Contact
• ESET's Nod32 - Contact
• eSafe - Contact (login required)
• Fortinet - Contact
• F-PROT - Contact
• F-Secure - Contact
• G-Data - Contact
• Kaspersky - Contact
• McAfee - Contact (email address)
• Norman - Contact (email address)
• Panda Anti-Virus - Contact
• Sophos - Contact
• Symantec (Norton) - Contact
• Vipre - Contact
• Windows Live OneCare - Contact
• ZoneLabs - Contact

Turns out there is a great list of AV software on wikipedia, called 'List of antivirus software'. It is more complete than my list above.

A member of the Autoit Forums made a great script to e-mail a false positive to a huge list of AV vendors to automate this process a bit.

Answer 2

I've only seen this happen with assemblers. For example, MASM32 actually warns people that it might trigger virus scanners since the EXEs are so small (and/or some viruses are written in assembly). My McAfee scanner flagged some of the example programs as viruses.

This should only happen for virus scanners that have a "looks suspicious" analysis mode.

Answer 3

It happened to me too. Hooking keyboard will trigger almost any heuristic scanning AV software to report a key logger. There are probably many other system calls which will trigger it too. Solution - try to redesign your code or contact the AV manufacturer to include your software into exception list.

Answer 4

I've had it happen to me with deployed code. The next update to the scanner solved the problem. Some cretin wrote a virus using the same compiler and the signature was part of the runtime library, not actually in the hostile code.

Answer 5

Some antivirus programs even flag a batch file as a virus and can't be convinced that it isn't. Quite annoying, if that file is part of a third party library and the virus warning is triggered every time TortoiseSVN checks it out. I ended up disabling the virus scanner, deleting the file and doing a commit. (Without disabling the scanner, I could not even do that :-( )