Forum > General

Virtus alerts on a fresh Windows binary

(1/5) > >>

Okoba:
Hello,

I have a problem that any build I get from any simple program with Latest Lazarus and FPC returns a false alert from Windows Defender or https://www.virustotal.com/.
It mostly says Program:Win32/Wacapew.C!ml

What I tried:
Get a fresh latest (today) version of Windows 11.
Install on a new VM.
No Git or any other program installed, nothing.
Get Lazarus and FPC source with a ZIP from GitLab.
Get latest win32 binary from here, https://sourceforge.net/projects/freepascal/files/Win32/3.2.2/. Checked it with virustotal, it is clean: https://www.virustotal.com/gui/file/7ec78b1790ecac7685f440b17f9e03865bc09846b7c068a9270c4d37704b5ac8

Compiled FPC and Lazarus from the source and made a simple program with a WriteLn and compiled with Release mode.
Submit to virustotal, and alert!

Either this is a false alert or not. I can not be sure.
After these test I tried and get the install of Lazarus Stable and installed that too, same virustotal errors again.

Can anyone share any info they have?
And can you create a simple project and submit to virustotal and say what you get? Preferbly with Trunk version of Lazarus, on Windows 10 or 11 and on Release mode with a simple WriteLn.

--- Quote ---program project1;

begin
  WriteLn('test');
  ReadLn;
end.
                       
--- End quote ---

Thaddy:
You should submit it to Microsoft, not to Virus Total.
Microsoft usually fix it in less than a week if you write a properly informative report about a false positive. Usually days, not weeks.

Okoba:
And what happens then? I guess it takes a long time so other computers get an update? Until then I can not share my programs?

Martin_fr:

--- Quote from: Okoba on February 17, 2024, 07:31:27 pm ---Compiled FPC and Lazarus from the source and made a simple program with a WriteLn and compiled with Release mode.
Submit to virustotal, and alert!

--- End quote ---

How many of the scanners alerted? And what kind of alert?

Very small exe, or exe with debug info have been known to every now and then trigger false alerts. (Including, sometimes confirmed false when send to the AV company for double checking).

Usually those false alerts are "heuristic" based (they have some part of the word "heuristic" in the name.
And usually they are from 3 to 5 of the around 70 engines that virustotal runs.

If there is a virus alert (false or otherwise) it usually always is by more than one engine. The manufacturers usually share some of their signatures and data.

The files you downloaded from the link you gave, they have been there for a few years, and been used by lots of people.
And virustotal knows that exact unchanged file since 2021-05-16

So I don't suspect them to be an issue with that download, or there would have been more noise.

Okoba:
I had the issue with my real project, and to be sure I tested it with a small test project I wrote on the first post. Errors are the same and they are:
Microsoft
Program:Win32/Wacapew.C!ml

DeepInstinct
MALICIOUS

Cynet
Malicious (score: 100)

All files are tested on Release mode with no debug info.

And Yes I was noting that this machine didnt touch any exe except the clean fpc old installs.

Navigation

[0] Message Index

[#] Next page

Go to full version