如何防止我的软件出现误报病毒警报? [英] How to prevent false positive virus alarm on my software?

问题描述

可能的重复:
我的可执行文件中的防病毒误报

到目前为止，我的程序有超过 15 个错误的病毒警报.其中大部分来自卡巴斯基，该公司报告始终使用同一种病毒:Trojan-GameThief.Win32.Lmir.pcd.有3个问题:

Until now, I had over 15 false virus alarms for my programs. Most of them were from Kaspersky, which reports ALWAYS the same virus: Trojan-GameThief.Win32.Lmir.pcd. There are 3 questions:

1. 为什么会出现?
2. 如何预防?
3. 如何检测?

对于第一个问题，因为它检测到的总是相同的病毒，我猜是因为我在所有程序中都使用了我的一个例程.但具体是哪一个，我不知道.对于第二个问题，我正在考虑稍微修改程序并重新编译它，足以更改其代码，以便防病毒软件不再识别它并发布新版本.第三个问题是最难的.如何根据世界上所有的防病毒程序检查我的所有程序?

For the first question, because it detects always the same virus, I guess it is because one of my routines that I use in all my programs. But which one exactly, I don't know. For the second question I was thinking about modifying the program just a bit and recompiling it, just enough to change its code so the antivirus will not recognize it anymore and release the new version. The third question is the most difficult one. How to check ALL my programs against ALL antivirus programs in the world?

更新:
有没有人知道如何合法地处理这个问题?似乎许多 Delphi 开发人员都有同样的问题.鲁莽的防病毒公司通过显示大量误报警报来赚钱，让他们的客户在实际上没有危险的情况下认为他们是安全的.虽然我们正在失去客户 - 他们正在创造客户.我将此问题告知了防病毒公司，但他们仅针对该特定版本进行了修复.下次我发布更新时，误报再次出现.他们只是不在乎.

Update:
Has anybody knowledge about how this issue can be handled legally? There seems that many Delphi developers have the same problem. The reckless antivirus companies make money on our back by showing lots of false positive alarms, making their customers to think they are safe when there was actually no danger. While we are losing customers - they are making customers. I informed the antivirus company about the problem but they fix it only for that specific version. Next time I release an update, the false alarm appears again. They just don't care.

许多诚实的开发人员因为粗心的防病毒软件而遇到问题.另请参阅:如何防止误报病毒警报我的软件?

Many honest developers have problems because of careless antivirus software. See this also: How to prevent false positive virus alarm on my software?

也许我们可以联合起来反对这样的防病毒产品，并迫使他们更加小心误报，甚至为我们因它们而损失的销售额获得一些收入.我们应该签署请愿书，让他们知道我们不接受这个了.

Maybe we can unite against such antivirus products and force them to be more careful about false positive alarms, even to get some revenue back for the sales we lose because of them. We should sign a petition to let them know that we don't accept this anymore.

2017 年更新
* 上周我的程序在 VirusTotal 上的检测率接近 50%.我删除了一行代码，并且神奇地检测到了 61 个(防病毒软件)中的 2 个.令人惊讶的是，这些防病毒产品的行为是多么随机.
* 当程序被编译为发布模式"(使用编译器优化)时，检测比在调试模式"下编译时要高得多.
* 使用 EurekaLog 时检测天空火箭.

Update 2017
* Last week my program had a detection ratio of close to 50% on VirusTotal. I deleted a single line of code and magically the detection dropped to 2 out of 61 (antiviruses). It is amazing how random these antivirus products behave.
* Detection is MUCH higher when the program is compiled is 'Release mode' (with compiler optimizations) then when it is compiled in 'Debug mode'.
* Detection sky rockets when EurekaLog is used.

2019 年更新
差不多 9 年过去了，并没有太大改善.
不幸的是，InnoSetup 也未能幸免.我使用 InnoSetup 创建了一个虚拟安装程序，并且

Update 2019
It is almost 9 years later and not much improved.
Unfortunately, InnoSetup is not spared also. I created a dummy installer with InnoSetup and upload it on VirusTotal. 5 out of 52 programs reported a false positive!

结论:

• 在一天结束时，将您的 exe 文件上传到 VirusTotal.如果检测率突然上升，请检查您在代码中所做的更改并删除有害"的更改.
• 使用 WinRar 3 作为安装程序.与 WinRar 5 或 InnoSetup 相比，它引发的标志更少.

推荐答案

首先，请确保您没有 Win32.Induc delphi 病毒，该病毒会更改 SysConst.dcu，从而使您编译的应用程序受到感染.

First, make sure that you do not have the Win32.Induc delphi virus, which changes SysConst.dcu so that applications you compile will be infected.

1. 使用 #3 缩小代码中导致误报的范围.更改进程内存的 API 调用将触发启发式扫描器.即使包含一些 API 函数的名称(例如 WriteProcessMemory)也会触发扫描器.对测试应用程序进行更改并提交给 #3，直到您缩小问题的范围.如果您使用打包程序，那么 AV 软件可能无论如何都会对其进行解压缩，但要进行打包和不打包的测试.

1. Use #3 to narrow down what in your code is causing the false positive. API calls which change process memory will trigger heuristic scanners. Even including the names of some of the API functions (such as WriteProcessMemory) will trigger a scanner. Make changes to a test application and submit to #3 until you narrow the problem down. If you use a packer, then the AV software will probably unpack it anyway, but test with and without packing.

将取决于#1.

Virustotal 被病毒开发者用来检查他们的病毒是否被检测到，因此 Virustotal 会将任何测试文件发送给反病毒人员进行分析.曾经有一个选项可以关闭它，但几年前它被删除了.如果您多次提交申请，这会使问题变得更糟，因此我建议使用 http://virusscan.jotti.org/ 用于您的初始测试.

Virustotal is used by virus developers to check their virus is not detected, so Virustotal will send any test file to the anti-virus people for analysis. There used to be an option to switch this off, but it was removed several years ago. This can make the problem worse for you if you submit an application multiple times, so I would recommend using http://virusscan.jotti.org/ for your initial testing.

这篇关于如何防止我的软件出现误报病毒警报?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！