malware detected

[fdsingleton]

Last week I was able to use the debugger just fine.  Today any exe created with debugging included is flagged by Microsoft Security as containing malware -- OK I forgot to record the exact name of the malware -- and also just now trying to recreate it -- there was a pop-up from the security pgm saying it fixed something, and when it was asked to scan the exe file it said that was clean.  Has anyone had this problem? FPC 3.2.2 & Laz 2.2.6, Windows 7 SP1 all 32bit.

[fdsingleton]

OK, now I see that the Microsoft malware detector deleted the exe ... was looking at a stale Windows Explorer page.  So now I can't use debugging---reinstall Lazarus?

[Martin_fr]

Exclude the project folder.
Windows security > "Virus and Thread Protection" >
"Virus and Thread Protection settings" "Manage settings" >
Exclusions: Add or remove Exclusions

Microsoft may have somewhere a page to submit false positives... Not sure.

AV are sometimes weird. I had cases were an AV would flag an exe, until I removed debug info. So it thought the non-executable parts contained a thread (well they could still be loaded as resource).

Windows protector recently flagged a project, that I used to test exception, so all it was doing was throwing errors, which of course is not what normal programs do (not that frequently). And I guess if you debug your app, then it may be the same, maybe it has an error that is detected as "not normal".

[fdsingleton]

Last night Windows Security started rejecting the exe file created WITHOUT debugging information also.  The name of the malware it finds is "Win32/Wacatac.B!ml".  A quick scan of everything or a detailed scan of the project directory or the Lazarus directory does not find anything (except in the exe).  Apparently I need more sophisticated scanning.

[Handoko]

Test the file using VirusTotal online scanner to make sure the computer is really virus free. If only 1 or 2 say the file is infected, the file probably doesn't have any viruses. But it will be a red flag if many AVs say the file is infected.

[fdsingleton]

Three vendors say "malware".  I have an earlier version of my program from last month which is apparently clean.  The problem is--if I want to give or sell the new version to Windows users, it is likely to be totally blocked.

[Martin_fr]

Have you submitted it to those vendors? As "false positive"? At least the big players have free access to upload detected files on their pages.

virustotal.com has about 60 AV engines. But, many of those share databases (AV sellers, share info between them, and include signatures of others).
So if one seller has wrong info, then it is kind of likely that a few other may have that too.

[fdsingleton]

No I have not submitted to anyone yet.  Interestingly, 4 vendors see something in my old version, but Microsoft does not, so if someone downloads it from me Windows will run it for them presumably.

[Martin_fr]

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide#part-4-submit-a-file-for-analysis

[fdsingleton]

I am having so much trouble getting a MS accnt that I am giving up.  I could even go back to Delphi 3.  Most of my apps were written in it starting when it came out.  Many 1000's of lines of code.

[fdsingleton]

Today with Microsoft having updated their security information, Microsoft does not find a problem with my exe(not containing debug info).  VirusTotal still found several vendors flagging it.  As it did with the previous version of my current Lazarus project with which Microsoft has always been happy.  VirusTotal even found one vendor that did not like a program compiled with Delphi 3 some time back.  I did not get around to reporting about yesterday's problems to Microsoft.