Synopse Open Source - Tag - false-positivemORMot MVC / SOA / ORM and friends2024-02-02T17:08:25+00:00urn:md5:cc547126eb580a9adbec2349d7c65274DotclearAVAST did detect ALL Delphi programs as dangerousurn:md5:c682c0d40c91f1e82626b1d7adfbc0982015-09-17T16:03:00+02:002015-09-17T15:08:22+02:00AB4327-GANDIPascal ProgrammingantivirusAVASTblogDelphifalse-positivesecurity<p>Today, an avalanche of "<a href="https://en.wikipedia.org/wiki/False_positives_and_false_negatives">false
postitive detection</a>" of AVAST heuristic engine did occur.<br />
Any executable built with Delphi XE8 or Delphi 10 Seattle was identified as a
<em>Win32:Banker-MGC [Trj]</em> threat!</p>
<p><img src="http://spudcomics.com/comics/2015-01-14-pirate.png" width="271" height="276" /></p>
<p><a href="https://en.wikipedia.org/wiki/Heuristic_analysis">Heuristic
analysis</a> is a method employed by many computer antivirus programs designed
to detect previously unknown computer viruses, as well as new variants of
viruses already in the "wild".</p> <p>AVAST "experts" introduced some detection rules which identified all Delphi
executables as potentially dangerous.</p>
<p>If you make a small Delphi program without any link to the VCL, with some
access to the Internet, a lot of "cheap" AV programs would identify this
program as a danger.<br />
This is the symptom of poorly maintained heuristic rules.</p>
<p>AFAIK it is the first time their "rules" have been defined so poorly that
even ANY Delphi program is detected as dangerous.<br />
AVAST team should not be proud.<br />
A simple test with a fixed void Delphi application would be enough to detect
such regressions.</p>
<p>At least, they reacted promptly.<br />
There are still a lot of Delphi programs in the wild! ;)<br />
They <a href="https://forum.avast.com/index.php?topic=176583.msg1252118#msg1252118">claimed
this has been fixed by now</a>.</p>
<p>It certainly did cost a lot of money of IT professionals, using Delphi
applications.<br />
But you can ask for your money back, when something is free, right?</p>
<p>In all cases, what is needed is to check any suspicious executable using
meta-scanners.<br />
See for instance <a href="https://www.virustotal.com/en/file/4d94146d1a50a24c32e6158c414f3f7078912b7f0f46c63e94426d1ede9a9303/analysis/1442480149/">
how a valid Delphi executable was checked today, using VirusTotal online
service</a>.</p>