While I was working on my IDE Fix Pack 1.0 for Delphi 2009 I wasn’t able to compile the installer (IDEFixPackReg.exe) without an alert by the virus scanner. Hey I just compiled the code and I know that I haven’t written a virus. I maybe able to write one but why should I add another one to the endless list of viruses, trojans and worms. I have to do more produtive work than playing in the same sand box with script kiddies and may-be developers whos only ability is to copy existing code without a real challange. The last real virus that I saw was in the good old DOS days when these beasts replicated themself, manipulated the boot sector and injected themself into EXE files. But nowadays all the knowledge of the old viruses is almost gone and todays worms can be “written” without thinking.
Back to the topic. I thought that I couldn’t release the IDE Fix Pack 1.0 for Delphi 2009 with this effect on virus scanners. My first action was to identify the code that the virus scanner doesn’t like. Because the installer isn’t that large I found out that the scanner complained about the IDEFixPack.dll that I attach as RC_DATA resource to the installer. With that information I tried to make some modifications to the IDE expert DLL. But I had no luck (Vista’s event log is now full of false positive warnings). Eventually I had the idea to compress the RC_DATA resource with zlib. And that is how I released the IDE Fix Pack 1.0 for Delphi 2009.
And because the IDE Fix Pack 1.6 for Delphi 2007 is now also affected by this false positive virus scanners, I have updated the CodeCentral entry with a new installer that also uses a zlib compressed RC_DATA resource.
Maybe somebody should tell the virus scanner vendors that not all Delphi applications are evil. How many viruses are written in Delphi compared to the number of viruses that are written in MSVC and VB. Thinking about the recent user32.dll false positive, I’m waiting for them to delete an important .NET assembly when the first .NET virus is widely spread.
if you contact the anti-virus vendor in question, they are usually very quick with updating their virus signatures and solving such problems (this should only take a day or two). I’ve seen quite a few false positives over the years (especially Delphi apps) and the vendors have always been very helpful.
I have this kind of problem every day with NOD32, apparently the problem is because of their “advanced heuristic” thingy… which doesn’t look like so advanced at all.
It is sometimes useful to exclude some processes from the ondemand scanners to save you time while developing. I usually exclude “bds.exe” and “tsvncache.exe” and “tortoiseproc.exe” (TortoiseSVN). So you save time during compiling and subversion updates…and you don’t get false positives.
there was a time, when developers of DrWeb antivirus had been asked for Exe of empty projects compiled with different Delphi versions to reduce false alerts.