Antivirus assume my program a virus

[Brwa hussen]

Hi
I am 17, from Iraq\kurdistan and I am developer
I had developed a mathematical program
The program is HUGE and cery good
BUT some antiviruses assume it as virus
VirusTotal assume it as virus 1/43
My avast antivirus not detect it as virus but when avast is enabled the program can't be run...

So please help ne fix the problem
I had created the program with vb6 and i used these ActiveX es:
-Codejock activex
-vbrichclient5.dll
-mathtype.ocx
-my own activexes plot.ocx and plot3d.ocx
-vb6 libraries

You can download my program from this blog(download link is on right side):

http://simplegrapher.blogspot.com

[LaVolpe]

Is the link to an executable? If so, you want people to install your exe even when some virus detectors will alert on it? I think you will need to provide source code if you want someone to look at it.

Keep in mind that if antivirus definitions are outdated, a false positive could be reported.

Welcome to the forums

[IkkeEnGij]

are you really asking us to download a potential virus ?

[Brwa hussen]

Definitely NO

I don't think i need to do all these things(creating a huge software, creating a websites te....) just to make you download a trojan

I can make you sure that the program is not a virus
Even most antivirus don't detect it as virus (which is not)

The link is not to an excutable file
It's to my program official website

[Rattled_Cage]

use online virus scanner like https://virusscan.jotti.org/ click submit file

[Arnoutdv]

TS mention he already tested his application on VirusTotal.com.
It gave a 1/43, meaning one anti-virus program flagged the application for being dangerous.

[Brwa hussen]

HELLO
i am replying to you
But I can't see my replies!!

[Brwa hussen]

The link is not directed to excutable file
It is to my program website
But my program is not containing any type of viruss
Even most antiviruses not detect it as virus
But i don't know what is problem with some of them

[jpbro]

Unfortunately AV software sometimes flags perfectly safe software as a virus - it's called a false positive. You will have is to contact the AV vendor that is flagging the file erroneously and send them a copy of the affected file(s). They will then make the necessary modifications to their virus definitions to prevent detection. Most AV vendors have a false positive submission page.

[Brwa hussen]

That is true
But that is not the solution to my problem
Because most people don't use the last update of an antivirus
So the antivirus still detect it
And i can not contact every AV
There is alot of AV used by people


Isn't there any other way to mak my program be trusted
Like certificate or any thing else????

[Wolfgang Enzinger]

Unfortunately AV software sometimes flags perfectly safe software as a virus - it's called a false positive. You will have is to contact the AV vendor that is flagging the file erroneously and send them a copy of the affected file(s). They will then make the necessary modifications to their virus definitions to prevent detection. Most AV vendors have a false positive submission page.

Agreed.

In cases like these (and I have had a couple of them in the past), this page has been a great help for me:

http://www.techsupportalert.com/cont...us-vendors.htm

Good luck!

Wolfgang

[Wolfgang Enzinger]

Isn't there any other way to mak my program be trusted
Like certificate or any thing else????

Here are a few tipps that *might* make it less likely for your app to be flagged inappropriately - but there ist no guarantee for that, of course:

* Do not compress your executable file (e.g. using UPX)
* make sure your app has a manifest
* switch permanent DEP on for your app (see http://www.vbforums.com/showthread.p...light=hardenpe and search for "HardenPE utility").

HTH, a little bit, at least.

Wolfgang

[dilettante]

A common culprit people want to decry as "false positives" are programs that do not use a proper recognized installer technology.

This can be as simple as a self-extracting archive, as long as it is one considered "well known." These are recognized by signature, not a cryptographic signature but a pattern of data in the file.

But some people seem to think it is whizzy to just stuff things like DLLs and OCXs into resources within a main program file, then when the program gets run it "drops" these files onto disk. This is called a "dropper" which is a common malware delivery technique.

Droppers are always bad and more antivirus suites should be flagging them.

So if you are doing this you can stop being flagged simply by using a proper installer technology or at least moving to the use of a well known self-extractor. Even so, using just a self-extractor isn't safe for most VB6 programs. It requires prepackaging with reg-free COM manifests if the program ships with any ActiveX dependencies. Failing to do this means your program could break other programs on the machine by causing your private copies to take over the registration of system-wide shared copies already installed. As soon as your program's folder gets deleted you take the libraries with it and leave other applications high and dry with the registry pointing to your (now missing) folder.

[Brwa hussen]

A common culprit people want to decry as "false positives" are programs that do not use a proper recognized installer technology.

This can be as simple as a self-extracting archive, as long as it is one considered "well known." These are recognized by signature, not a cryptographic signature but a pattern of data in the file.

But some people seem to think it is whizzy to just stuff things like DLLs and OCXs into resources within a main program file, then when the program gets run it "drops" these files onto disk. This is called a "dropper" which is a common malware delivery technique.

Droppers are always bad and more antivirus suites should be flagging them.

So if you are doing this you can stop being flagged simply by using a proper installer technology or at least moving to the use of a well known self-extractor. Even so, using just a self-extractor isn't safe for most VB6 programs. It requires prepackaging with reg-free COM manifests if the program ships with any ActiveX dependencies. Failing to do this means your program could break other programs on the machine by causing your private copies to take over the registration of system-wide shared copies already installed. As soon as your program's folder gets deleted you take the libraries with it and leave other applications high and dry with the registry pointing to your (now missing) folder.

Thanks for your reply
Actually, i am using Smart Install Maker(SIM) software to create an excutable installer for my program, it is a good program
But my program uses alot of ActiveX components (nearly 10 .ocx and .dll files) and also it needs to register some registry values, and the installer do this so well!
I had tried Advenced installer but it is not free and so expensive... But excellent

I think that creating a manifest files for my program could solve some problem because the my program has 1 main exe file and 6 other exe files, but i had one manifist file

[dilettante]

Does every one of your SIM installers (for any program) get flagged as malware? If so, then I would suspect that its bootstrapper/extractor isn't one recognized as "normal" and "safe" because its signature profile has not been included by antivirus makers (Avast?).

If it is just this one program than more likely than not this program does something "suspicious" that is triggering a false positive.

[Tanner_H]

VirusTotal is a problematic way to assess malware risk. They include way too many scanners, many of which are low-quality, and they fail to educate users on the pros and cons of their "shotgun" approach to detection. False-positives are pretty much guaranteed with any project of reasonable size, regardless of how "safely" it's written.

I had similar false-positive issues with my PhotoDemon project, which is simply a portable .exe (unsigned). I finally wrote an article to explain the problem to end-users - maybe the link will give you some ideas for how to explain the problem to your users.

As the link describes, if you compile a blank VB6 project into an .exe (one form, no custom code), you'll get multiple hits from VirusTotal. Avira and DrWeb in particular seem to hate files with VB6 signatures, and no amount of reporting false-positives helps, because those companies simply whitelist single files instead of fixing their garbage heuristics.

While not always feasible for your users, all you can do is recommend that they replace their low-quality virus scanner with something that actually works.

[reexre]

I use Avast antivirus and it detect almost all VB6 created executables as Virus.
Plus, it automatically delete the file! without the option to sign it as False Positive (that it had in older versions). So, often I must disable Avast.

Any idea of a better free antivirus ?

[Arnoutdv]

I use the default virus scanner from Windows (since Win7), I believe it's Defender.

[DataMiser]

There was one virus scanner that flagged one of my programs recently simply because it was written in VB6.
I forget what the actual message was but it was something like it was being flagged because some virus have been known to have been created using that tool and the program had not been white listed.

[dreammanor]

If you use subclasses or hooks in your VB6 program, a lot of antivirus software may treat your VB6 software as a virus.

[dilettante]

VB has gained a bad name with the antimalware vendors. There are just too much malware out there that script kiddies have packaged inside VB6 programs. Most of these are not all that sophisticated but are either trojan droppers or DLL injectors or patchers that rely on machine code created by somebody else. VB gets used as a delivery system.

Any VB6, VB5, or 32-bit VB4 program gets a lot of points. A resource containing identifiable code gets a lot of points. Certain API calls get points. Code injection gets a lot of points and now they scan for code in any String values that look like hex, Base64, Base85, and probably other frequently encountered schemes for stuffing binary data into a String.

Score enough of these points and you get flagged.

Blame the script kiddies for pissing in our well.

[DataMiser]

If you use subclasses or hooks in your VB6 program, a lot of antivirus software may treat your VB6 software as a virus.

In my case it was a fairly simple program that did read/writes to a db and passed data to a barcode generator for printing labels. No sub classing, no 3rd party controls, only non standard thing it did was made a reference to the Barcode tools API for passing the data to it.

The actual message related to the detection was https://www.symantec.com/security_re...051308-1854-99