* * *

Author Topic: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives  (Read 863 times)

technipixel

  • Full Member
  • ***
  • Posts: 213
    • TechniPixel Solutions
[Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« on: February 16, 2017, 11:44:25 pm »
Please follow closely....

1) I create a new Project, save it to newly created folder
2) Put just a button on my form
3) Run... works fine, create an EXE that is 14.7 MB
4) Go into Prj. Options and UNCHECK the "Generate Debugger info... in exe" (Hopefully to reduce EXE file size)
5) Compile to EXE at (1.7 MB)
6) Try to Double-click EXE to run directly and get this error...
     "Windows cannot access..." (see screen #1 below)
7) After a minute, my BitDefender AntiVirus quanartines it. It thinks it is a virus.
     (see screen #2 below)
8) I go back into LAZ, turn on the Debugger again and now it will never compile again in that folder.
     And I get error saying cannot run exe (see #3 screen)
9) Then it displays the project1.lpr file highlighting the "end." line

No matter what i do, I cannot create another EXE in this folder or with LAZ on this project.
I have to actually delete the folder and create a new folder... BUT NOT TURN OFF the DEBUGGER check box.

What is going on with the DEBUGGER CHECK BOX causing BitDefender to flag it as a virus.

As long as I don't uncheck the Debugger, BitDefender doesn't quarantine anything.

« Last Edit: February 17, 2017, 01:53:02 am by technipixel »
Lazarus 1.6 w/FPC-3.0 • Windows 7 • 10G RAM • NIV-GForce GT 640 Graphics Card
Newbie coming from VB6, VBA, .NET (C# & VB)
Other languages: sql, php, html, CSS, javascript, actionscript.

Cyrax

  • Sr. Member
  • ****
  • Posts: 490
Re: Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #1 on: February 16, 2017, 11:48:01 pm »
False positive (heuristic) detection.

In your antivirus program, white-list your project binary output directory and the problem goes away.

technipixel

  • Full Member
  • ***
  • Posts: 213
    • TechniPixel Solutions
Re: Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #2 on: February 16, 2017, 11:55:08 pm »
I looked, but don't see in my BitDefender where to "Allow" all my LAZ projects to be whitelisted.
I will have to do some research or ask them.

But what I want to know is... why shutting off the Debugger is Gen.Variant.Graftor even in the exe.
Can't LAZ dev's take that out of the exe?
Lazarus 1.6 w/FPC-3.0 • Windows 7 • 10G RAM • NIV-GForce GT 640 Graphics Card
Newbie coming from VB6, VBA, .NET (C# & VB)
Other languages: sql, php, html, CSS, javascript, actionscript.

Cyrax

  • Sr. Member
  • ****
  • Posts: 490
Re: Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #3 on: February 16, 2017, 11:57:54 pm »
What? It is false positive detection. FPC can't take it out.

You might want to change your antivirus to something else less aggressive version.

If you still think that your .EXE has virus, then check it out in this web service : https://www.virustotal.com/

technipixel

  • Full Member
  • ***
  • Posts: 213
    • TechniPixel Solutions
Re: Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #4 on: February 17, 2017, 12:13:23 am »
It was created on the fly... as soon as LAZ created it (with Debugger unchecked)... BitDefender removed it.
It is seeing "Gen.Variant.Graftor".... where did it come from?

I understand it's a false positive, but what is in the created EXE that BitDef thinks it is a GenVariant?

FYI... I did find the exclusion in BitDef... testing it now

UPDATE:
The Exclusion didn't work on the folder that did delete the exe (so I had to delete the folder)
But, recreating a different folder and turning off the debugger and recompiling a new project worked.
« Last Edit: February 17, 2017, 12:21:09 am by technipixel »
Lazarus 1.6 w/FPC-3.0 • Windows 7 • 10G RAM • NIV-GForce GT 640 Graphics Card
Newbie coming from VB6, VBA, .NET (C# & VB)
Other languages: sql, php, html, CSS, javascript, actionscript.

Cyrax

  • Sr. Member
  • ****
  • Posts: 490
Re: Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #5 on: February 17, 2017, 12:22:15 am »
Bitdefender (and other) antivirus programs uses heuristic analysis (it can be turned off) to detect unknown viruses on the wild. This analysis consist detecting certain known byte patterns (aquired from known virus samples) in binary files. Unfortunately this causes false positives to came out in even legitimate and virus free binaries.

Mr.Madguy

  • Jr. Member
  • **
  • Posts: 71
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #6 on: February 17, 2017, 07:56:34 am »
Some anti-viruses are paranoid about any CreateProcess API calls. For example my Launcher.exe. All it does - detects, whether Windows is 32bit or 64bit and launches application from either Bin32 or Bin64 folder. And what? See screenshot below. Also there are problems with this file: when I compile program on same computer - everything is fine. But when I copy it from flash drive - my antivirus doesn't quarantine it, but refuses to launch it.

And in case of same program, but compiled via Lazarus - situation is even worse. See second screenshot.
« Last Edit: February 17, 2017, 08:21:55 am by Mr.Madguy »

coda

  • New member
  • *
  • Posts: 5
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #7 on: February 17, 2017, 04:49:22 pm »
Interesting, but can't really call this solved if the solution is to leave debugging enabled. That's just a work around.

To really solve this requires action from bitdefender. Report it and hope they do something about it. I've had to report false positives to other AV companies in the past, some are excellent in responding, others - not so much.


technipixel

  • Full Member
  • ***
  • Posts: 213
    • TechniPixel Solutions
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #8 on: February 18, 2017, 04:22:20 am »
It marked it solved, because I have determined that it is not LAZ's fault.
Once I "excluded' the folder in the exe is created in, I can uncheck the "debug" and it works.

I do have a support ticket in, they have done some analysis on my PC.

I just think their heuristics is just way to strict...

I told them so too and that they need to consider programmers... if we 'Don't scan a folder'... we mean it.

Exclusion works for my LAZ stuff, but not some of the other EXE creating environments I have.
Lazarus 1.6 w/FPC-3.0 • Windows 7 • 10G RAM • NIV-GForce GT 640 Graphics Card
Newbie coming from VB6, VBA, .NET (C# & VB)
Other languages: sql, php, html, CSS, javascript, actionscript.

coda

  • New member
  • *
  • Posts: 5
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #9 on: February 18, 2017, 08:45:38 am »
>It marked it solved, because I have determined that it is not LAZ's fault.

this.

Unfortunately, a false positive is a problem all devs are going to encounter from time to time. Especially if you have users running all kinds of bloatware AVs that they got pre-installed when they bought the computer and have no idea how to use.

You can use virustotal to find problems before you release and the users do, but there's 50+ security tools out  there.

R0b0t1

  • Jr. Member
  • **
  • Posts: 72
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #10 on: February 19, 2017, 04:06:53 am »
I don't mean to meaninglessly bump this post, but I think I can offer some explanation for what is causing the false positive due to past experience. Often AVs will mark programs that interact with the WinAPI on a very low level as is most likely done by the LCL. Keyloggers and programs which try to remove all traces that they are running often use these APIs, but so do game frameworks and windowing toolkit implementations.

I just think their heuristics is just way to strict...

Mr.Madguy

  • Jr. Member
  • **
  • Posts: 71
Re: [Solved] Debugger OFF - Create EXE = AntiVirus False Positives
« Reply #11 on: February 20, 2017, 08:09:08 am »
Just lazy anti-viruses, that don't support proper anti-virus bases and use some dumb heuristics instead, like "uses certain API call = possible virus". Serious heuristic anti-viruses, like AVZ, don't report my programs as viruses. I've also encountered even stupider problem: I uploaded my application to file hosting, that was using very strict rules - only 1 possible virus report from virustotal and your file has to be deleted. Guess what? One or two of anti-viruses didn't support 64bit apps, packed via UPX, and simply reported them as possible viruses - my program was deleted from file hosting due to this reason. Something like that:

 

Recent

Get Lazarus at SourceForge.net. Fast, secure and Free Open Source software downloads Open Hub project report for Lazarus