24

I work for a publishing company and we are making interactive software that accompanies our books. The problem is that many clients complain that the antivirus keeps deleting parts of the software, especially the .exe files.

Which is the best way to avoid this? By digitally signing the software? (I don't know if that's the correct term, or maybe it's called licensing). Are there companies who provide such a thing?

Captain Man
  • 586
  • 5
  • 16
GabrielSC
  • 369
  • 2
  • 3
  • 11
    [Sharing your research helps everyone](https://softwareengineering.meta.stackexchange.com/questions/6559/why-is-research-important). Tell us what you've tried and why it didn't meet your needs. This demonstrates that you've taken the time to try to help yourself, it saves us from reiterating obvious answers, and most of all it helps you get a more specific and relevant answer. Also see [ask] – gnat Oct 24 '19 at 11:11
  • 17
    check that your program hasnt been infected – Ewan Oct 24 '19 at 11:45
  • 5
    As Ewan suggests, have a very good look at your tool chain. If that's infected by a virus, it can copy itself to everything you create. – Simon B Oct 24 '19 at 12:13
  • 3
    Don;t write viruses – mattnz Oct 25 '19 at 03:31
  • Check a possible infection on the quarantined .exe, and scrutinize your distribution channels, some might be malicious. As dummy customer acquire your own product, and check any meddling. – Joop Eggen Oct 25 '19 at 09:49
  • 2
    Tell the antivirus vendors in question that your files are not infected and have them fix their databases. – Thorbjørn Ravn Andersen Oct 25 '19 at 09:51
  • 1
    I was a developer at Mendix, a fairly widely used software development platform, and when I was still working there we had to submit every new build to an antivirus vendor that I won’t name, because otherwise they would flag our software as a virus. You may have to take similar steps. – Sebastiaan van den Broek Oct 25 '19 at 10:24

3 Answers3

46

By running that same anti-virus software in your testing environment. Make it part of your test procedure: "Software not deleted by antivirus."

(In my experience: some packers, which compress your executable, will make your executable get flagged.)

Pieter B
  • 12,867
  • 1
  • 40
  • 65
  • That’s indeed a very good idea ! +1 ! Sometimes it nevertheless occurs that the software gets corrupted at the the source, in a third party DLL, or within the distribution pipeline. So before assuming it’s a false alarm, cross check the software and the strength of the distribution process. – Christophe Oct 24 '19 at 13:15
  • 1
    @Christophe or just add a test round, installing the software from the medium you distribute it on. – Ruslan Oct 24 '19 at 20:09
  • 1
    Couldn't this get expensive, to license all the different anti-virus software that flag your executables? – Nacht Oct 25 '19 at 00:21
  • 1
    @Nacht how expensive could it possibly be? You only need one or at most a handful of licenses for each for your CI server(s). We're talking about end-user software, copies costing maybe $50-100 USD a piece. – Jared Smith Oct 25 '19 at 01:58
  • @JaredSmith Hmm I suppose so, I was imagining something running against Exchange for an entire business but not sure where I got that idea. – Nacht Oct 25 '19 at 03:04
  • 1
    You really only need to test during release phases. You don't need to test everything constantly across every machine. Just one machine hooked up as part of automated testing is just fine. – Nelson Oct 25 '19 at 04:06
  • @nelson just remember that you should never install more than a single AV on a system and there are half a dozen popular AVs out there, which makes this not as easy as it sounds. – Voo Oct 25 '19 at 06:50
  • 2
    @Voo That's a generic advice for a normal-use computer regarding auto-scan. For a validation machine, you can turn off auto-scan and simply run all the scanners in sequence. The main issue is how they can create conflicts with each other on quarantined files e.g.) AV1 detects virus, quarantine files, but this gets detected by AV2, which quarantines it somewhere else, and then triggers AV1 from the quarantine, etc. – Nelson Oct 25 '19 at 07:27
  • @Nelson I doubt you can completely turn off the AVs interaction with the system (all the hooks it registers, etc.). And since the particularly interesting interaction is not the "scan everything on file system" but exactly when the AV injects itself into other processes, etc. you'd miss the most important part of the test. – Voo Oct 25 '19 at 09:08
  • @Voo Why is "AV injects itself into other processes" an issue? The issue from the original question is about their software files are getting deleted by the AV. The "scan everything on the file system" is exactly what the OP needs to check for on the test system; to see what is triggering the deletion. – Nelson Oct 25 '19 at 09:17
  • I think going into specifics on how AV works is beyond the scope. My broader message here is if something breaks your software, try recreate the circumstance under which it breaks, in this case: by testing it with the AV. – Pieter B Oct 25 '19 at 09:47
  • "In my experience: some packers, which compress your executable, will make your executable get flagged." <-- this! .Net Framework packers/compressors may trigger Windows Defender. I help out on an application fully developed in .Net, and when it was compressed (to save space), it was being flagged left and right, but once it stopped being compressed, it stopped being flagged. – Ismael Miguel Oct 25 '19 at 11:10
  • 3
    Even if AV doesn't delete your software today, doesn't mean it will still leave it tomorrow after an update. – Alice Oct 25 '19 at 11:17
  • @Nelson Because the av will inject itself into the installer or application process and make decisions based on its behavior and not just the dormant executable. You can easily have an executable that won't trigger the filesystem check but will during execution. – Voo Oct 25 '19 at 15:31
30

There's no magic cure unfortunately. False positives by anti-virus software have been a problem for commercial publishers for a long time. It is very common, especially for smaller publishers.

The first thing you want to do is sign all executables in your project as well as the installer. That will go a long way towards helping you. But its still no guarantee the programs won't be flagged. To sign software you'll need a software signing certificate. It takes a little bit of effort (and money), but its worth it.

You'll also want to make sure your program plays nicely with Windows, and doesn't do things like writing to places on the drive it shouldn't (such as the Windows directory). Make sure you understand where files should be installed and written to under Windows.

If your program is still getting flagged, you can use a tool like VirusTotal which checks your file against all the major published anti-virus programs. This way you can see which ones are reporting false positives. Usually its just one or a few that are flagging the program. From there if need be you can submit your program to those anti-virus publishers. Most of them have a place where you can do that on their website. This is hit or miss, don't expect immediate responses from them.

GrandmasterB
  • 37,990
  • 7
  • 78
  • 131
-1

Going by current tech - and your software will be most likely developed or at least built for Windows (10 .. 64 bit ) - get an official licensed developer key from Microsoft to sign your installer and program.

Avoid exe-packers like upk/upx like the plague, stick to well known formats like (7)zip or rar - or use a packaging software to build your installer.

eagle275
  • 111