Windows Service and auto-update process being accused of viruses by Avast

Asked

Viewed 918 times

2

My application Windows Service made in Delphi 6 is being accused as virus by Avast in the process of self-updating.

Just when the executable construction process, after the build, is finished Avast already has virus. It accuses the Win32:Evo-gen [Susp].

The process is through a thread and by that method:

procedure TThreadAutoUpdate.Update;
var
  fileDownload: TFileStream;
  bDownloaded: boolean;
  fileBat: TStringList;
  cAppName: string;
  cBatName: string;
begin
  cAppName := Application.ExeName;
  if FileExists(cAppName+'.tmp') then
    DeleteFile(PChar(cAppName+'.tmp'));
  FileDownload := TFileStream.Create(cAppName+'.tmp', fmCreate);
  try
    AddLog('Logando ...');
    FIdFTP.Host := 'ftp://fakeDeDownload.com.br';
    FIdFTP.{$if CompilerVersion < 16}User{$else}Username{$ifend} := 'update';
    FIdFTP.Password := 'update';
    FIdFTP.Connect({$if CompilerVersion < 16}true{$ifend});
    try
      FIdFTP.Get('MyService.exe', FileDownload);
      AddLog('Efetuando download ...');
      if FIdFTP.Connected then
        FIdFTP.Disconnect;
      bDownloaded := True;
    except
      on e: Exception do
      begin
        bDownloaded := False;
        AddLog('Não foi possível atualizar o serviço');
        AddLog('Motivo: ' + e.Message);
      end;
    end;
  finally
    FreeAndNil(FileDownload);
  end;

  if bDownloaded then
    begin
      AddLog('Download efetuado');
      AddLog('Trocando os executáveis');
      fileBat := TStringList.Create;
      try
        fileBat.Clear;
        cBatName := THelpers.GetTempDirectory + ExtractFileName(cAppName) + '.bat';
        fileBat.Add('net stop MyServiceSvc');
        fileBat.Add(':Label1');
        fileBat.Add('@echo off');
        fileBat.Add('del "'+cAppName+'"');
        fileBat.Add('taskkill /f /im "'+ ExtractFileName(cAppName) +'"');
        fileBat.Add('if Exist "' + cAppName + '" goto Label1');
        fileBat.Add('Move "'+cAppName+'.tmp'+'" "'+cAppName+'"');
        fileBat.Add('net start MyServiceSvc');
        fileBat.Add(':Label2');
        fileBat.Add('del "' + cBatName + '"');
        fileBat.Add('if Exist "' + cBatName + '" goto Label2');
        fileBat.SaveToFile(cBatName);
        WinExec(PAnsiChar(AnsiString(cBatName)), SW_HIDE);
        AddLog('Atualização efetuada com sucesso');
      finally
        fileBat.Free;
      end;
    end;
end;

But if I leave exactly this line commented, then the executable is no longer charged:

// FIdFTP.Get('MyService.exe', FileDownload);

Does anyone have any idea what might be going on?

  • 2

    The simplest way is to circumvent the command that is generating the false positive, the most complex is to send to everything that is anti-virus a false positive alert.

  • 3

    I suggest you also replicate this question on SOEN with the Indy pro tag Remy Lebeau take a look. After all, it is the child’s father.

  • Have you ever tried to leave the function out of the thread? Make a Download File Function? Here did not give false positive on Avast.

  • 3

    Exactly. To detect a virus signature, the mechanism needs to pick up several factors. You also complicated everything, wanted to put a bat and an ftp download in the same thread! A little malice and with the same skeleton you have a trojan.

  • 1

    3 more functions and you have a RAT there. But the important thing is to update the client system! haha

1 answer

2


You’re not the only one facing this problem, see this topic from the Avast forum. Antivirus is detecting your app as a trojan Downloader, he’s right to do it.

To get around the problem, the correct is to contact the antivirus manufacturer and report the false positive. Click here to open the Avast contact form.

inserir a descrição da imagem aqui

One attempt that can be effective is to call the function that drives the antivirus dynamically. The function FtpGetFile of Unit WinInet has the same objective as the Get of IdFtp.

Loading the function FtpGetFile dynamically:

Uses Windows;

const
WNETDLL = 'wininet.dll';
WNETFNC = 'FtpGetFileW';

implementation

type
  HINTERNET = Pointer;
  PHINTERNET = ^HINTERNET;
  LPHINTERNET = PHINTERNET;
  INTERNET_PORT = Word;
  PINTERNET_PORT = ^INTERNET_PORT;
  LPINTERNET_PORT = PINTERNET_PORT;

function MyFtpGetFile(hConnect: HINTERNET; lpszRemoteFile: LPWSTR;
  lpszNewFile: LPWSTR; fFailIfExists: BOOL; dwFlagsAndAttributes: DWORD;
  dwFlags: DWORD; dwContext: DWORD_PTR): BOOL;
Var
 F: function(hConnect: HINTERNET; lpszRemoteFile: LPWSTR;
  lpszNewFile: LPWSTR; fFailIfExists: BOOL; dwFlagsAndAttributes: DWORD;
  dwFlags: DWORD; dwContext: DWORD_PTR): BOOL stdcall;
begin
  F := GetProcAddress(LoadLibrary(pchar(WNETDLL)), pchar(WNETFNC));
  Result := F(hConnect, lpszRemoteFile, lpszNewFile, fFailIfExists, dwFlagsAndAttributes,
  dwFlags, dwContext);
end;

Follow an example of using the function FtpGetFile:

Uses Windows, WinInet;

const FtpUrl = 'ftp://ftp.foo.bar/';
const FtpServer = 'ftp.foo.bar';

Function DownloadFtp(const Usuario, Senha, RemoteFile, LocalFile: string): Boolean;
Var
 HI, FI: HINTERNET;
Begin
Result := False;
Try
 HI := InternetOpen('Ftp', INTERNET_OPEN_TYPE_DIRECT, nil, nil, 0);
 if Assigned(HI) then
   FI := InternetConnect(HI, pchar(FtpServer), INTERNET_DEFAULT_FTP_PORT,
   pchar(Usuario), pchar(Senha), INTERNET_SERVICE_FTP, 0, 0);

   Result := FtpGetFile(fi, PChar(RemoteFile), PChar(LocalFile), False, 0,
   FTP_TRANSFER_TYPE_ASCII, 0); // Neste exemplo será baixado um arquivo de texto
Finally
 InternetCloseHandle(HI);
 InternetCloseHandle(FI);
End;
End;

On a button put the code:

Var
 Descarregado: Boolean;
begin
 Descarregado:= DownloadFtp('', '', '/remoteFile.txt', 'localFile.txt');
 if Descarregado then
   ShowMessage('Arquivo baixado com sucesso!')
 else
   ShowMessage('Erro ao baixar arquivo.');

In this example a text file will be downloaded ftp://ftp.foo.bar/remoteFile.txt and will save in the directory of the executable with the name localFile.txt.

Basically that is, it has to implement much more things, for more information on the subject, read the article below:

Browser other questions tagged

You are not signed in. Login or sign up in order to post.