我的可执行文件中的防病毒软件误报

发布于 2024-09-11 04:09:28 字数 463 浏览 13 评论 0原文

我刚刚遇到了一个恼人的问题。突然,Avira AntiVir 开始将我的软件中的一个可执行文件标记为病毒。

由于几乎所有用户的默认操作都是单击“确定”,并且 Avira 建议将病毒隔离,因此我的大多数用户都会删除此可执行文件。

好吧,咱们别嚣张了,先看看我是不是真的被感染了。我将该文件发布到 http://www.virustotal.com,并且在所有防病毒软件中,只有 Avira 将其标记为已感染。此外,我用两种不同的防病毒软件扫描了我的计算机,它是干净的。

我已经向我的用户发布了一封邮件,解释正在发生的事情,但这对我的支持来说是一种开销,我真的不想要。

好的,问题是:有没有办法避免这种行为?除了签署文件之外,我想不出任何其他方法(真的不知道它是否能解决),但让我们看看您是否有任何创意。

I just ran into an annoying problem. Suddenly Avira AntiVir started to flag one executable from my software as being a virus.

As the default action from almost any user is to click OK and Avira suggests to put the virus in quarantine, most of my users are deleting this executable.

Well, let's not be arrogant and check if I'm not infected indeed. I posted the file to http://www.virustotal.com and from all anti virus only Avira flags it as infected. Furthermore I scanned my computer with two different anti viruses and it is clean.

I already posted a mail to my users explaining what is happening but this is an overhead to my support that I really don't want.

OK, the question is: Is there a way to avoid this kind of behavior? I can't think any way else than signing the files, (don't really know if it would solve) but let's see if you have any creative idea.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(6

坠似风落 2024-09-18 04:09:28

令人惊讶的是,Delphi 应用程序被 AV 应用程序报告为(潜在)有害,这一情况非常常见。不久前,使用 Delphi 2009 时,发生在我身上,请参阅 http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue

在 SO,我们还有

等等。

它可能是实际的诱导病毒。但最有可能的是,这是误报。

It is surprisingly common that Delphi applications are reported as (potentially) harmful by AV applications. It happened to me a while ago, using Delphi 2009, see http://en.wikipedia.org/wiki/Wikipedia:Reference_desk/Archives/Computing/2010_March_20#Delphi.2FAVG_Issue.

At SO, we also have

and many more.

It might be the actual Induc Virus. But most likely, it is a false positive.

固执像三岁 2024-09-18 04:09:28

安德烈亚斯的回答非常好;这种情况在 Delphi 应用程序中经常发生。

签名代码没有任何区别——我已经让 NOD32 对签名的 Delphi 代码抛出误报。

如果有任何技术可以避免误报,病毒作者就会使用它们来避免检测。

不幸的是,我发现最好的行动方案是被动的而不是主动的。所有反病毒供应商都有报告误报的设施,而且我发现他们对报告做出了响应。

Andreas's answer is excellent; it just happens a lot to Delphi applications.

Signing code doesn't make any difference -- I've had NOD32 throw false positives on signed Delphi code.

If there were any techniques that would avoid false-positives, virus authors will use them to avoid detection.

I've found the best course of action is, unfortunately, reactive rather than proactive. All AV vendors have a facility to report false positives, and I've found them to be responsive to reports.

与风相奔跑 2024-09-18 04:09:28

许多诚实的开发人员因为粗心的防病毒软件而遇到问题。
另请参阅:如何防止误报病毒警报我的软件?

想象一下,他们每显示一个误报,您就会失去一个可能的客户。程序员应对此类防病毒产品采取行动,并强制他们更加小心误报,甚至是为了弥补因误报而损失的销售收入。

更新:
最近我观察到:

  • 当程序在“发布模式”(带有编译器优化)下编译时,VirusTotal.com 上的误报数量比在“调试模式”下编译时要高得多。
  • 使用 EurekaLog 时检测天空火箭。

因此,在发布您的程序之前,请先提交给 VirusTotal!


2019 年更新:
不幸的是,InnoSetup 也未能幸免。我使用 InnoSetup 创建了一个虚拟安装程序并将其上传到 VirusTotal。 52 个程序中有 5 个报告误报!更新更新:现在误报数量扩大到9个!

Many honest developers have problems because of careless antivirus software.
See this also: How to prevent false positive virus alarm on my software?

Imagine that for each false positive they show, you lose a possible customer. Programmers should take action against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them.

Update:
Recently I have observed that:

  • Number of false positives on VirusTotal.com is MUCH higher when the program is compiled in 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
  • Detection sky rockets when EurekaLog is used.

So, submit to VirusTotal before you publish your program!


Update 2019:
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive! Update on update: Now the number of false positive extended to 9!

笑饮青盏花 2024-09-18 04:09:28

作为解决方案,您可能需要:

1 - 验证您的 Delphi 编译器没有被感染
2 - 验证您的来源和库没有受到影响(这是 的 MO诱导 病毒)
3 - 使用 AV 检查您的(保证)干净的 exe。如果他们报告误报,请联系他们,以便他们修复测试。

4 - 如果您需要在有机会更正 AV 之前进行分发,请对您的 exe 进行签名,以便您的用户可以验证它是干净的。

As a solution, you may want to:

1 - Verify your Delphi compiler is not infected
2 - Verify your sources and libraries are not tempered with (that was the M.O. for the Induc Virus)
3 - Check your (guaranteed) clean exe with the AVs. If they report a false positive, contact them so they could fix their tests.

4 - If you need to distribute before there is a chance to correct the AVs, sign your exe, so that your users could verify it's clean.

萌辣 2024-09-18 04:09:28

防病毒产品可能在 Delphi 生成的 exe 上触发的原因有多种,一些常见原因是:

  • 许多病毒是用 Delphi 编写的,因此您的 exe 可能有一些代码部分看起来与现有病毒相同。
  • 程序的导入表用于确定您的 exe 可能执行的操作,例如链接到凭据管理或磁盘管理功能会触发某些反病毒软件。

正如之前所建议的,尝试使用在线服务扫描您的发行版本,例如 VirustotalJotti 并始终向供应商报告误报,而不是试图防止误报。我的经验是,反病毒供应商对提交的反应非常快。

There are several reasons why an Anti Virus product might trigger on a Delphi produced exe, a few common reasons are:

  • Lots of viruses are written in Delphi and therefore your exe might have some code parts that look the same as existing viruses.
  • The import table of your program is used to determine what your exe might do, for instance linking to Credentials Management or Disk Management functions triggers some AV's.

As suggested before try scanning your release version with online services such as Virustotal or Jotti and always report your false positives to vendors instead of trying to prevent being a false positive. My experience is that AV vendors react quite fast on submission.

决绝 2024-09-18 04:09:28

在 Free Pascal/Lazarus 小组和 bugtracker 中,此类消息几乎每个版本和/或每月都会发生。

我们通常建议用户忽略所有“通用”或“启发式”扫描类型,并坚持使用基于签名的扫描(就像大多数公司病毒扫描程序一样)。

这是因为它几乎总是启发式警报,而不是特定的恶意软件。从检测到的“病毒/木马”几乎总是“通用”类型的事实中可以很容易地看出这一点。通常病毒扫描程序也是典型的“家庭”病毒扫描程序,或者一般病毒扫描程序的家庭版(诺顿曾经特别糟糕,现在主要是规模较小的“廉价”家用扫描程序)

但是我们主要与开发人员沟通,并且已经遇到麻烦这条消息横过。我可以想象,当分发给无知的最终用户时,这是一个真正难以传达的消息。

尽管如此,还是没有其他办法。

In Free Pascal/Lazarus groups and bugtracker, such messages happen nearly every release and/or month.

We generally advise users to ignore all "generic" or "heuristic" scanning types, and stick to signature based scanning (as most corporate virusscanners do).

This because it is nearly always an heuristic alarms, never specific malware. This can be readily seen in the fact that the detected "virus/trojan" is nearly always of the "generic" type. Usually the virusscanners are also typical "home" virusscanners, or home editions of general virusscanners (Norton used to be particularly bad, nowadays it mostly the smaller scale "cheap" home use scanners)

However we communicate mostly with developers, and already have trouble getting this message across. I can imagine, when distributing to clueless end-users, this is a real difficult message to communicate.

Still, there is no other way.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文