2
My application Windows Service made in Delphi 6 is being accused as virus by Avast in the process of self-updating.
Just when the executable construction process, after the build, is finished Avast already has virus. It accuses the Win32:Evo-gen [Susp].
The process is through a thread and by that method:
procedure TThreadAutoUpdate.Update;
var
fileDownload: TFileStream;
bDownloaded: boolean;
fileBat: TStringList;
cAppName: string;
cBatName: string;
begin
cAppName := Application.ExeName;
if FileExists(cAppName+'.tmp') then
DeleteFile(PChar(cAppName+'.tmp'));
FileDownload := TFileStream.Create(cAppName+'.tmp', fmCreate);
try
AddLog('Logando ...');
FIdFTP.Host := 'ftp://fakeDeDownload.com.br';
FIdFTP.{$if CompilerVersion < 16}User{$else}Username{$ifend} := 'update';
FIdFTP.Password := 'update';
FIdFTP.Connect({$if CompilerVersion < 16}true{$ifend});
try
FIdFTP.Get('MyService.exe', FileDownload);
AddLog('Efetuando download ...');
if FIdFTP.Connected then
FIdFTP.Disconnect;
bDownloaded := True;
except
on e: Exception do
begin
bDownloaded := False;
AddLog('Não foi possível atualizar o serviço');
AddLog('Motivo: ' + e.Message);
end;
end;
finally
FreeAndNil(FileDownload);
end;
if bDownloaded then
begin
AddLog('Download efetuado');
AddLog('Trocando os executáveis');
fileBat := TStringList.Create;
try
fileBat.Clear;
cBatName := THelpers.GetTempDirectory + ExtractFileName(cAppName) + '.bat';
fileBat.Add('net stop MyServiceSvc');
fileBat.Add(':Label1');
fileBat.Add('@echo off');
fileBat.Add('del "'+cAppName+'"');
fileBat.Add('taskkill /f /im "'+ ExtractFileName(cAppName) +'"');
fileBat.Add('if Exist "' + cAppName + '" goto Label1');
fileBat.Add('Move "'+cAppName+'.tmp'+'" "'+cAppName+'"');
fileBat.Add('net start MyServiceSvc');
fileBat.Add(':Label2');
fileBat.Add('del "' + cBatName + '"');
fileBat.Add('if Exist "' + cBatName + '" goto Label2');
fileBat.SaveToFile(cBatName);
WinExec(PAnsiChar(AnsiString(cBatName)), SW_HIDE);
AddLog('Atualização efetuada com sucesso');
finally
fileBat.Free;
end;
end;
end;
But if I leave exactly this line commented, then the executable is no longer charged:
// FIdFTP.Get('MyService.exe', FileDownload);
Does anyone have any idea what might be going on?
The simplest way is to circumvent the command that is generating the false positive, the most complex is to send to everything that is anti-virus a false positive alert.
– Filipe.Fonseca
I suggest you also replicate this question on SOEN with the Indy pro tag Remy Lebeau take a look. After all, it is the child’s father.
– Filipe.Fonseca
Have you ever tried to leave the function out of the thread? Make a Download File Function? Here did not give false positive on Avast.
– Filipe.Fonseca
Exactly. To detect a virus signature, the mechanism needs to pick up several factors. You also complicated everything, wanted to put a bat and an ftp download in the same thread! A little malice and with the same skeleton you have a trojan.
– Filipe.Fonseca
3 more functions and you have a RAT there. But the important thing is to update the client system! haha
– Filipe.Fonseca