Problems on VB6 Compile

[AccessShell]

I do compile cleanly when the code is correct. But, most of my programs get flagged by McAfee, either when I scan after compile, or when I try to run them. This does not happen to all programs. I write in VB6.

This is frustrating because
1. I do not know how to write a virus, never thought about it,
2. I can't send my code to anyone, because it will get flagged there.

The pieces of the .exe (.frm, .mod, etc) do not get flagged when scanned.
Any suggestions on how to track down the culprit?

Thanks

[OptionBase1]

McAfee should give you the name of the virus/variant it is being detected as. Read up on that virus and see if any of the actions your program is taking might be what is triggering that.

As a fictitious example, there might be a virus out there that, as part of its payload, writes a specific filename to the temp folder, like C:\Temp\abc123.dat. McAfee virus definitions might then have instructions such that any program it finds that has code that writes to that filename are flagged as that virus. So, a legit program that also happens to write to that filename might be mistaken for that virus.

That's one road to go down, but it might be a dead end. Good luck.

[AccessShell]

The McAfee threat I found was 'Real Protect-LS!2ff5c8933fcd. The internet has a big write-up on it. It seems that the user rating is extremely low.

In any event, I can easily exclude the file on my computer. As for anyone I want to share it with, not so easily.
Bottom line. I cannot share it.

[OptionBase1]

McAfee claims to have a service where you can submit your software and they will examine it and "allowlist" it in their definition files.

https://www.mcafee.com/support/?loca...l=article-view

Never used it, no idea if they would even accept VB6 code these days or not. That also wouldn't address any other AV products that might flag it as well.

What is this program for and what is it doing? Is your program doing things like Office automation? Is it doing a bunch of file I/O? Is it doing things with files in the Windows folder or subfolders like System32/SysWOW64? Is it doing things with files in the Program Files folder?

It could be that you could make changes to your code that would make the problem go away on its own.

[AccessShell]

What is this program for and what is it doing? Is your program doing things like Office automation? Is it doing a bunch of file I/O? Is it doing things with files in the Windows folder or subfolders like System32/SysWOW64? Is it doing things with files in the Program Files folder?

This program is doing none of these things. It is a game. Back in the '50s. I played a game called "Hi-Q". I found some come code and generalized it. I do not read or write to files. I do not use office automation.
I do have several pictureboxes and imageboxes. These are loaded at design time. I am using BitBlt, SetCapture, and ReleaseCapture.

[techgnome]

What you're getting is a false positive. It doesn't show up in a scan of hte source code because that's not what's being looked at. It's the compiled binaries. You've done something that has created a binary signature that's being mistaken for a virus - specifically it's matching the signature of a known virus. It's come up a lot before. There's something about compiled VB6 code that's particularly sensitive to AV scanners. Not sure what it is, I don't think a lot (if any) viruses are built using VB6. Anyways, you can put in a file exemption as you have, or you can also contact McAffee give them the app, and the signature and see what they can do with it. Or tell you what it is their scanner is seeing.

As for other AVs ... there's a website that you can go to to submit a file for scanning an it will tell you how some of hte more populare scanners will react to it. I want to say it is "willitscan.com" ... but I don't think that's right. My google fu is failing me... hopefully someone knows what I'm talking about.


-tg

[bahbahbah]

there's a website

virustotal.com is typically used.

@OP, I'd double check what API calls you're using (if any), I know I've had problems with certain ones in the past causing my programs to get flagged. I suppose you could also do what viruses do and use a packer or similar to evade the AV.

https://github.com/tanc7/EXOCET-AV-Evasion

I haven't used them before and AV companies will likely block the methods at some point in the future as you can see here.