如何防止我的软件误报病毒警报?
可能的重复:
我的可执行文件中的防病毒误报
到目前为止,我收到了超过 15 个错误病毒警报对于我的程序。其中大部分来自卡巴斯基,该公司报告的病毒始终相同:Trojan-GameThief.Win32.Lmir.pcd。 有3个问题:
- 为什么会出现?
- 如何预防呢?
- 如何检测呢?
对于第一个问题,因为它总是检测到相同的病毒,我想这是因为我在所有程序中使用的例程之一。但具体是哪一个,我不知道。 对于第二个问题,我正在考虑稍微修改一下程序并重新编译它,足以更改其代码,这样防病毒软件将不再识别它并发布新版本。 第三个问题是最难的一个。如何根据世界上所有防病毒程序检查我的所有程序?
更新:
有谁知道如何合法地处理这个问题吗?看来很多Delphi开发者都有同样的问题。鲁莽的防病毒公司通过显示大量误报警报来赚钱,让他们的客户认为他们是安全的,而实际上没有危险。当我们失去客户时,他们却在创造客户。 我向防病毒公司通报了该问题,但他们仅针对该特定版本修复了该问题。下次发布更新时,误报再次出现。他们只是不在乎。
许多诚实的开发人员因为粗心的防病毒软件而遇到问题。 另请参阅:如何防止误报病毒警报我的软件?
也许我们可以联合起来对抗此类防病毒产品,迫使它们更加小心误报,甚至可以为我们因此损失的销售拿回一些收入。 我们应该签署请愿书,让他们知道我们不接受此请求不再了。
2017 年更新
* 上周我的程序在 VirusTotal 上的检测率接近 50%。我删除了一行代码,神奇地,检测结果下降到 61 个中的 2 个(防病毒软件)。这些防病毒产品的行为如此随机,令人惊讶。
* 当程序在“发布模式”(带有编译器优化)下编译时,检测率比在“调试模式”下编译时要高得多。
* 使用 EurekaLog 时检测天空火箭。
2019年更新
快9年过去了,并没有太大改善。
不幸的是,InnoSetup 也未能幸免。我使用 InnoSetup 创建了一个虚拟安装程序,并在 VirusTotal 上上传它。 52 个程序中有 5 个报告误报!
结论:
- 最终将您的 exe 文件上传到 VirusTotal。如果检测率突然跳跃,请检查您在代码中所做的更改并删除“有害”的更改。
- 使用 WinRar 3 作为安装程序。它引发的标志比 WinRar 5 或 InnoSetup 少。
Possible Duplicate:
Antivirus False positive in my executable
Until now, I had over 15 false virus alarms for my programs. Most of them were from Kaspersky, which reports ALWAYS the same virus: Trojan-GameThief.Win32.Lmir.pcd.
There are 3 questions:
- Why it appears?
- How to prevent it?
- How to detect it?
For the first question, because it detects always the same virus, I guess it is because one of my routines that I use in all my programs. But which one exactly, I don't know.
For the second question I was thinking about modifying the program just a bit and recompiling it, just enough to change its code so the antivirus will not recognize it anymore and release the new version.
The third question is the most difficult one. How to check ALL my programs against ALL antivirus programs in the world?
Update:
Has anybody knowledge about how this issue can be handled legally? There seems that many Delphi developers have the same problem. The reckless antivirus companies make money on our back by showing lots of false positive alarms, making their customers to think they are safe when there was actually no danger. While we are losing customers - they are making customers.
I informed the antivirus company about the problem but they fix it only for that specific version. Next time I release an update, the false alarm appears again. They just don't care.
Many honest developers have problems because of careless antivirus software.
See this also: How to prevent false positive virus alarm on my software?
Maybe we can unite against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them.
We should sign a petition to let them know that we don't accept this anymore.
Update 2017
* Last week my program had a detection ratio of close to 50% on VirusTotal. I deleted a single line of code and magically the detection dropped to 2 out of 61 (antiviruses). It is amazing how random these antivirus products behave.
* Detection is MUCH higher when the program is compiled is 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
* Detection sky rockets when EurekaLog is used.
Update 2019
It is almost 9 years later and not much improved.
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive!
Conclusion:
- At the end of the day upload your exe file to VirusTotal. If the detection ratio suddenly jumps, review the changes you have done in your code and remove the "harmful" ones.
- Use WinRar 3 as installer. It raises less flags than WinRar 5 or InnoSetup.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
首先,确保您没有感染 Win32.Induc delphi 病毒,该病毒会更改 SysConst.dcu,从而使您编译的应用程序受到感染。
使用 #3 缩小代码中导致误报的范围。更改进程内存的 API 调用将触发启发式扫描仪。即使包含某些 API 函数的名称(例如 WriteProcessMemory)也会触发扫描器。对测试应用程序进行更改并提交至 #3,直到缩小问题范围。如果您使用加壳器,那么反病毒软件可能无论如何都会解压它,但要在加壳和不加壳的情况下进行测试。
将取决于#1。
病毒开发者使用Virustotal来检查他们的病毒是否被检测到,因此Virustotal会将任何测试文件发送给反病毒人员进行分析。曾经有一个选项可以关闭此功能,但几年前已被删除。如果您多次提交申请,这可能会使问题变得更糟,因此我建议使用 http://virusscan.jotti .org/ 进行初步测试。
First, make sure that you do not have the Win32.Induc delphi virus, which changes SysConst.dcu so that applications you compile will be infected.
Use #3 to narrow down what in your code is causing the false positive. API calls which change process memory will trigger heuristic scanners. Even including the names of some of the API functions (such as WriteProcessMemory) will trigger a scanner. Make changes to a test application and submit to #3 until you narrow the problem down. If you use a packer, then the AV software will probably unpack it anyway, but test with and without packing.
Will depend on #1.
Virustotal is used by virus developers to check their virus is not detected, so Virustotal will send any test file to the anti-virus people for analysis. There used to be an option to switch this off, but it was removed several years ago. This can make the problem worse for you if you submit an application multiple times, so I would recommend using http://virusscan.jotti.org/ for your initial testing.
第三个问题:有一个名为virustotal的网站,它使用大量的防病毒引擎扫描文件。他们有一个 API,因此您可以将这部分作为构建过程的一部分。
另外,一些类似的问题可能会有所帮助:
我的可执行文件中的防病毒误报
Delphi 7 中的病毒
https://stackoverflow.com/questions/3534050/my-software-is-not-a-virus-what-should-i- do (已删除问题的快照)
不小心创建了病毒?
3rd question: There is a website called virus total which scans files with lots of antivirus engines. They have an api, so you can make this part of your build process.
also, some similar questions might help:
Antivirus False positive in my executable
Virus in Delphi 7
https://stackoverflow.com/questions/3534050/my-software-is-not-a-virus-what-should-i-do (Snapshot of deleted question)
Accidentally created a virus?