AVs and False Positives

Today we received 2 different support requests from users informing that their Antivirus software identified IW14.2.8.exe as a virus/trojan. Among the AV software we find Kapersky, Zone Alarm, Windows Defender and Symantec.

Kaspersky is famous for its heuristic engine false positives, specially against binaries compiled by any Delphi version. Zone Alarm shares the same engine so whenever Kaspersky reports something, Zone Alarm will do the same. (Un)Fortunately, Delphi is one of the few native programming languages left and that’s why it is used by many virus creators. Tongue

We have this issue from time to time, and not only with IntraWeb but CrossTalk as well. Basically, using Delphi makes the chances of any EXE being flagged as a virus higher because the AV engines rely a lot on heuristics. And since so many viruses are written in Delphi, they “learn” the signature of Delphi created EXEs in many cases rather than the virus itself.

We have reported the false positives to Microsoft and Symantec. We already have Symantec response, confirming that the report is a false positive, as follows:


In relation to submission 97436.

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

    File name: iw14.2.8.exe
    MD5: F613B07B34D31EB7B5CDE221A95FFDFA
    SHA256: 53057B142527CFE5885CAF88802AFBD8EE44AAD3D78CC5B173AC79DFD746E4D5
    Note: Whitelisting is available by downloading a RAPID RELEASE indicated in the Further Information section below or via the next Live Update
Further Information:
Required RAPID RELEASE sequence >= 194141

The latest Rapid Release definition available here: http://[url]ftp.ftp.symantec.com/AVDEFS/…pidrelease[/url]
To check the current sequence number of the Rapid Release definition: https://www.symantec.com/security_respon…pidrelease
More information on Rapid Release definitions can be found: https://support.symantec.com/en_US/artic…03326.html

If detection persists, please contact support:
* Norton: https://support.norton.com/sp/en/us/home/current/info
* SEP: https://support.symantec.com/en_US/endpo…54619.html

Decisions made by Symantec are subject to change if alterations to the Software are made over time or as classification criteria and/or the policy employed by Symantec changes over time to address the evolving landscape.

For more information on best practices to reduce false positives:
https://www.symantec.com/content/en/us/e….en-us.pdf

Sincerely,
Symantec Security Response
https://www.symantec.com/security-center