DEV Community

loading...

How to Reduce Antivirus False Positives (Visual C++)

ashishk98 profile image ashishk98 ・3 min read

Hi all, I was recently working on this tool that I had developed for my team in Visual C++, it gathers certain system-level information of a Windows system. The code is written in C++ using Windows API from the Windows SDK and some simple batch commands for ease of implementation. Since this code is supposed to be distributed and used on a large number of machines, it had to be stand-alone executable. So I compiled it using the “Multi-threaded (/MT)” option under Runtime libraries. This option allows us to make an executable stand-alone by fitting the required libraries into a single executable, ready to distribute.

Initially, the executable was working fine across thousands of machines and giving us the expected results. But later, after the 9th March 2020 update of Windows Defender, it started blocking the executable detecting it as a virus. Me being the sole developer of this tool knew the code inside out and was very sure about the fact that there is nothing malicious in my code. To understand the exact problem I tested my executable on Virus Total and to my surprise, it was getting hit by 19 Antiviruses. Microsoft being one of them was a major concern for me as it is present on all the Windows systems by default (Windows Defender).

Since it was clear that these are false positives, I looked for workarounds to reduce these. But developers around the world have given up on this problem because there is nothing we can do about it except for adding an exception in the AV system and if it is to be redistributed, talk to the AV company and get it added as an exception in their database. But talking to the AV companies is not an option for small-scale developers as the companies usually don’t entertain such small cases. So I tried out certain things with my code which has helped me get out of the forest for now and my executable is getting detected by far fewer Antiviruses and Windows Defender is not one of them.

1

Disclaimer: Please note that these are not solid proof methods of reducing AV False Positives, these are methods that I have tried and worked for me.

Following is a list of things that you can do to reduce the Anti-virus false positives for your application:

Google search your executable’s name and check if there is any pre-existing virus with that name. If you get a hit, you should consider renaming your executable.
Create a self-signed code generation certificate or subscribe to one of the Certificate Authorities (CA) to get a code generation certificate and sign your executable with that certificate. In my experience, this method is little to no help to save it from Antivirus’ teeth.
Create a self-executable compressed file using 7-zip as mentioned in this link and the test it on Virus Total if it is still getting detected.
Scan your executable on VirusTotal and identify the virus heuristics category that your executable falls under. Google the virus’ behavior and try to identify if some part of your code resembles the behavior. If so try and re-write that piece of code with a different logic.
Compile the code without statically linking the Runtime Libraries during Code Generation. You can find this option under Project Properties > C/C++ > Code Generation > Runtime Library. Set the Runtime Library option to either “Multi-threaded DLL (/MD)” or “Multi-threaded Debug DLL (/MDd)” depending on your build type.
Downgrade your Windows SDK version and then test your executable on Virus Total.
If you are using Visual Studio 2019, downgrade the platform toolset version to v141 or lower (as shown). Since the compilation and optimization methods differ in these platform toolset versions, it affects the behavior of the executables.

After all the debugging, the final method worked for me. So to conclude, the code generation and optimization method used and the DLLs that come along with the Visual Studio platform toolset v142 caused the Antivirus false positive detection for me.

2

Even though I wasn’t able to stop the executable from getting detected by all the AVs, it wasn’t getting detected by Windows Defender which opens me up to a majority of the systems.

Discussion (0)

Forem Open with the Forem app