VirusTotal: Avira marks a Delphi built executable als false positive
Posted by jpluimers on 2018/12/06
Found out yesterday that Avira marks one of many Delphi 10.1 built executables as false positive; submitted, but VirusTotal shows it as false positive:
Related:
- It took 2 days to fix, which for an anti-virus company is really slow
- After that, and updating the signatures on Windows, Avira still thinks it is a threat:[WayBack] Jeroen Pluimers on Twitter: “Hey @Avira , I submitted a false positive 10 days ago; on virus-total it is now green, but on Windows – with latest Avira updates – Avira sill thinks it is a threat. What’s up?
- [WayBack] delphi – Antivirus False positive in my executable – Stack Overflow
- [WayBack] Any other Delphi download tagged as “Harmful Download” from Google ? – General Help – Delphi-PRAXiS [en]
- [WayBack] security – Delphi applications considered ‘dangerous’ by Google Chrome – Stack Overflow
- [WayBack] Google! Don’t be evil! « How to Remove Malware
I think it was Avira too that interfered with my Delphi IDE compiling Delphi applications, especially resource compilation:
- [WayBack] Jeroen Pluimers on Twitter: “If your Delphi IDE hangs while compiling, but hardly using CPU, it can be @Avira acting up. No proper screenshot yet, but it happened multiple times over the past weeks.
ConHost,cmdor/andBRCC.exein the tree, none of them using much CPU or even being suspended 1/… @AskAvira…
- [WayBack] Jeroen Pluimers on Twitter: “the trick is to use @Sysinternals #ProcessExplorer and kill the subtree. Now Delphi stops hanging, shows an error during the compilation stage it was in, and a retry will compile fine. Since it happens irregularly, and I cannot reproduce it yet, I need to leave it at this. 2/2”
- [WayBack] Jeroen Pluimers en Twitter: “Better screenshot, as it can also involve cgrc.exe. Another solution is to wait a couple of minutes.… “
–jeroen
The Wiert Corner - irregular stream of stuff 
Alexandre Machado (@alex_7691) said
Avira has been flagging Delphi executables as infected for a long time. I’ve already reported several (20+) over the last year or a little more. It also flags, from times to times, installers (.EXEs) created with InnoSetup. Too bad that they can’t just fix their heuristic engine….
jpluimers said
I already had that impression, but could not substantiate from it as I had not used Avira for quite a while. Thanks for substantiating it.
John said
And this is VERY problematic because Google is using VirusTotal as one of its source and can block a complete web-site for Chrome and Firefox users, just because it is linking to a perfectly legitimate software. This happened to multiple Delphi / C++ Builder vendors lately, blocking more than 71% of our traffic for more than 48 hours, without any explanation or reliable way to revert their decision. See the “most official” thread of the ongoing problem: https://productforums.google.com/forum/#!topic/webmasters/CThwZ6Oq9Ck;context-place=starred
Here is a list of our findings: https://en.delphipraxis.net/topic/360-any-other-delphi-download-tagged-as-harmful-download-from-google/?do=findComment&comment=2874
We are trying to raise awareness of this issue as it is highly problematic for independent software vendors.
jpluimers said
Thanks. I will add these links to the article so I can find it back more easily when I bump into this again.