Why does AVG(antivirus) detect an executable produced from Dev-C++ as a virus?
Solution 1
Why is AVG labeling my C++ program a virus?
For example, here is a C++ program that AVG detects as a virus:
#include <cstdlib>
#include <iostream>
using namespace std;
int main(int argc, char** argv) {
cout << "done";
return 0;
}
Running the executable, I get AVG popup window with this text:
AVG Resident Shield Alert
Threat detected!
File name: c:\Documents and Settings\eleschinski\Desktop\workspace\CppApplication_2\dist\Debug\MinGW-Windows\cppapplication_2.exe
Threat name: Trojan horse Agent3.CJAI (More Info)
Move to Vault (Reccommended)
Go to file
Ignore the threat
Screenshot of what AVG does:
Summary, What's going on here?
AVG antivirus is a program that runs on your computer that uses Heuristics and other imprecise algorithms to identify which programs have unwanted evil agendas. AVG is taking as input the contents of your executable file, and decided that your program is unsafe.
Antivirus writers are using the Enumerating Badness strategy to identify malware in the world, and it is coming back to bite them because this is the wrong approach to the problem of detecting malware. One problem with Enumerating Badness is the false positives, the problem you experience now.
Steps to take to get a better understanding of the problem:
Step 1. First you want to be very sure what file that AVG is complaining about. To do this, go to AVG -> Tools menu -> scan file. Choose the offending executable or file defined in your threat window. AVG will scan the file instantly and recommend to add it to the vault. At this point you can know AVG thinks this file alone is the malware.
Step 2. Get a second opinion about this malware/virus file, better yet, get 50 independent second opinions. Go to the website https://www.virustotal.com, there you can upload your file for free, and it will be analyzed by about 50 different antivirus programs, if the majority of them think it is a virus, then AVG has done well. But if only a few antiviruses label your file as evil, then it's possible that AVG has a false positive.
Step 3. An easy way to convince AVG that your C++ program is safe is to add the c++ statement: system("pause"); in the beginning of your C++ program and recompiling and re-running. For me, AVG then warns me about it, I click ignore, then it lets me run it anyway. Also, try using 'return 1' instead of 'return 0' at the end of your main function. It will let you run it. If that seems bizarre, it is. Virus writers are smarter than antivirus writers by getting antivirus software to see to many false positives.
Step 4. See if you can white-list your program. Go into the "Virus Vault" in AVG. AVG -> History menu -> Virus Vault. Find the line items that represent your offending C++ program and release them from the virus vault, or white list them, and try again.
Solutions:
Option 1: Acknowledge that the virus writers are winning the war against antivirus software. It's easier to hide something than it is to survey everything and spot all badness. AVG can't tell the difference between a legitimate virus and some c++ program you just made. Get new antivirus software, or get an operating system that doesn't need antivirus software (linux), or go without antivirus software all together and keeps lots of offline offsite backups.
Option 2: Tell AVG to stop analyzing files with .EXE extensions. WARNING this will decrease AVG's ability to protect your computer from real viruses/malware. Go to AVG console -> Tools -> Advanced Settings -> Anti Virus -> Resident Shield -> Expert Settings. You will see a textbox with a label: "always scan files with the following extensions". Remove the EXE; from that textbox. Save and try re-running your program. AVG will no longer complain about your something.exe executable.
Option 3: Fiddle with your C++ program until it stops being labelled a virus. Add some #include libraries, excluding some other ones. An inconsequential change could make all the difference in AVG deciding your file is malignant.
and if anyone from AVG is interested in chasing this bug down, here is the false positive executable for the above
Solution 2
Maybe this will lighten the whole thing as it seems that AVG somehow doesn't like the combination of a (probably) older version of gcc (As Dev-C++ isn't on development anymore) and an empty program.
Solution 3
When you Google "define EXIT_SUCCESS" you will see that it should be "0".
Try to decompile your executable file using IDA Pro Disassembler + Hex Rays Decompiler and see what is really going on there :)
iKlsR
I push polygons and flip bits.. The first moderator on https://blender.stackexchange.com. Served ~7 years. Sadly I no longer participate on this site or network so I apologize if you don't receive an update to an old answer.
Updated on August 05, 2022Comments
-
iKlsR over 1 year
I created a default Dev-C++ project and instead of the usual
return 0;, it hadreturn EXIT_SUCCESS;and upon compiling and running it, I was alerted by my antivirus that the executable was a virus.I tried the same code with Visual C++, Eclipse and Codeblocks and they all compiled it successfully … so I am a bit confused here..
— Why does AVG detect executables produced from Dev-C++ with the line
return EXIT_SUCCESS;as a virus when other similar macros work perfectly fine? -
iKlsR over 12 yearsthanks. i did a search of my headers and found it in stdlib.h as 0, it works now, but im wondering how it escaped Dev and AVG picked it up as an error.. undefined macro or something. oddly weird.
-
Wennie about 8 yearsPerfect answer, very clear and precise. I am having this problem in my Delphi XE8 and Avast Antivirus too. -
Jerry Dodge about 7 years"or get an operating system that doesn't need antivirus software (linux)" I couldn't help but to laugh. No OS is immune to viruses. It all depends on how likely virus authors are to target a certain OS. Windows seems to be the biggest target, so that's what they write for. I can write a virus / malware for Linux, OS-X, iOS, and Android if I wanted to.
