simple programs angering anti-virus

Question

Why do simple old programs like this that I've had lying around for years sometimes set off my anti-virus? It picked up the compiled exe for this one and said it might be a gen/dropper or something like that.

Here's the code:

#include "c:\\dxsdk\\include\\d3d9.h"
#include "c:\\dxsdk\\include\\d3dx9.h"
#include <time.h>
#include <sstream>
using namespace std;

#define APPTITLE "DirectX Practice"

LRESULT CALLBACK WinProc(HWND,UINT,WPARAM,LPARAM);
int Initialize(HWND);
void OnCleanup(HWND);
void OnInterval(HWND);
BOOL KEY_DOWN(UINT);
BOOL KEY_UP(UINT);

LPDIRECT3D9 d3d = NULL;
LPDIRECT3DDEVICE9 d3ddev = NULL;
LPDIRECT3DSURFACE9 backBuffer = NULL;
LPDIRECT3DSURFACE9 surface = NULL;
UINT Screen_Width  = 0;
UINT Screen_Height = 0;

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
    //
    MSG msg;
    ////////////

    Screen_Width = 1280;//GetSystemMetrics(SM_CXFULLSCREEN);
    Screen_Height= 800;//GetSystemMetrics(SM_CYFULLSCREEN);

    // can't use the real rez if it isn't standard

    if( Screen_Width==0 || Screen_Height==0 ){
        MessageBox(
            NULL,
            "Could not detect native screen resolution. Using Default.",
            "Error",
            MB_ICONERROR|MB_SYSTEMMODAL);
        Screen_Width = 800;
        Screen_Height = 600;
    }


    WNDCLASSEX wc;
    wc.cbSize = sizeof(WNDCLASSEX);

    wc.style = CS_HREDRAW|CS_VREDRAW;
    wc.lpfnWndProc = (WNDPROC)WinProc;
    wc.cbClsExtra = 0;
    wc.cbWndExtra = 0;
    wc.hInstance = hInstance;
    wc.hIcon = NULL;
    wc.hCursor = LoadCursor(NULL,IDC_ARROW);
    wc.hbrBackground = (HBRUSH)GetSysColorBrush(COLOR_BTNFACE);
    wc.lpszMenuName = NULL;
    wc.lpszClassName = APPTITLE;
    wc.hIconSm = NULL;

    if(!RegisterClassEx(&wc))
        return FALSE;

    HWND hwnd;
    hwnd = CreateWindow(
        APPTITLE,
        APPTITLE,
        WS_EX_TOPMOST|WS_VISIBLE|WS_POPUP,
        CW_USEDEFAULT,
        CW_USEDEFAULT,
        Screen_Width,
        Screen_Height,
        NULL,
        NULL,
        hInstance,
        NULL);

    if(!hwnd)
        return FALSE;

    ShowWindow(hwnd,SW_SHOW/*nCmdShow*/);
    UpdateWindow(hwnd);

    if(!Initialize(hwnd))
        return FALSE;

    int done = 0;
    while( !done )
    {
        if(PeekMessage(&msg,NULL,0,0,PM_REMOVE))
        {
            if(msg.message==WM_QUIT)
            {
                MessageBox(hwnd,"Exiting","Notice",MB_OK|MB_SYSTEMMODAL);
                done = 1;
            }
            TranslateMessage(&msg);
            DispatchMessage(&msg);
        }else{
            OnInterval(hwnd);
        }
    }

    return msg.wParam;
}

LRESULT CALLBACK WinProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam)
{
    switch(msg)
    {
        case WM_DESTROY:
            OnCleanup(hwnd);
            PostQuitMessage(0);
            return 0;
        default:
            return DefWindowProc(hwnd,msg,wParam,lParam);
    }
    return 0;
}

int Initialize(HWND hwnd)
{
    d3d = Direct3DCreate9(D3D_SDK_VERSION);
    if(d3d == NULL){
        MessageBox(hwnd,"Could not initialize Direct3D 9","Error",MB_ICONERROR|MB_SYSTEMMODAL);
        return 0;
    }

    D3DPRESENT_PARAMETERS dp;
    ZeroMemory(&dp,sizeof(dp));
    dp.Windowed = FALSE;
    dp.SwapEffect = D3DSWAPEFFECT_DISCARD;    
    dp.BackBufferFormat = D3DFMT_X8R8G8B8;
    dp.BackBufferCount = 1;
    dp.BackBufferWidth = Screen_Width;
    dp.BackBufferHeight = Screen_Height;
    dp.hDeviceWindow = hwnd;

    d3d->CreateDevice(
        D3DADAPTER_DEFAULT,
        D3DDEVTYPE_HAL,
        hwnd,
        D3DCREATE_SOFTWARE_VERTEXPROCESSING,
        &dp,
        &d3ddev);

    if(d3ddev == NULL){
        MessageBox(hwnd,"Could not create Direct3D 9 device","Error",MB_ICONERROR|MB_SYSTEMMODAL);
        return 0;
    }

    srand(time(NULL));

    d3ddev->Clear(0,NULL,D3DCLEAR_TARGET,D3DCOLOR_XRGB(0,0,0),1.0f,0);
    d3ddev->GetBackBuffer(0,0,D3DBACKBUFFER_TYPE_MONO,&backBuffer);

    if(d3ddev->CreateOffscreenPlainSurface(
            1294,614,
            D3DFMT_X8R8G8B8,
            D3DPOOL_DEFAULT,
            &surface,
            NULL) != D3D_OK )
    {
        MessageBox(hwnd,"Could not create off-screen data surface","Error",MB_ICONERROR|MB_SYSTEMMODAL);
        return 0;
    }

    if(D3DXLoadSurfaceFromFile(
            surface,
            NULL,
            NULL,
            "green.jpg",
            NULL,
            D3DX_DEFAULT,
            0,
            NULL) != D3D_OK )
    {
        MessageBox(hwnd,"Could not load image","Error",0);
        return 0;
    }

    return 1;
}
void OnCleanup(HWND hwnd)
{
    MessageBox(hwnd,"exiting","bye",MB_ICONERROR|MB_SYSTEMMODAL);
    if( surface!=NULL )
    {
        surface->Release();
    }
    if(d3ddev!=NULL)
    {
        d3ddev->Release();
    }
    if(d3d!=NULL)
    {
        d3d->Release();
    }
}
void OnInterval(HWND hwnd)
{
    /*RECT rect;
    int r;
    int g;
    int b;

    */
    if( KEY_DOWN(VK_ESCAPE) )
        PostMessage(hwnd,WM_QUIT,0,0);

    if(d3ddev == NULL)
        return;

    d3ddev->Clear(0,NULL,D3DCLEAR_TARGET,D3DCOLOR_XRGB(0,0,0),1.0f,0);



    if(d3ddev->BeginScene())
    {
        /*r = rand()%255;
        g = rand()%255;
        b = rand()%255;
        d3ddev->ColorFill(surface,NULL,D3DCOLOR_XRGB(r,g,b));

        rect.left = rand()%Screen_Width/2;
        rect.top  = rand()%Screen_Height/2;
        rect.right  = rect.left + rand()%Screen_Width/2;
        rect.bottom = rect.top + rand()%Screen_Height/2;
        */
        // blit surface's contents to the screen into the
        // target rect area
        d3ddev->StretchRect(surface,NULL,backBuffer,&rect,D3DTEXF_NONE);

        d3ddev->EndScene();
    }
    d3ddev->Present(NULL,NULL,NULL,NULL);
}


BOOL KEY_DOWN(UINT key)
{
    return (BOOL)(GetAsyncKeyState(key) & 0x8000);
}
BOOL KEY_UP(UINT key)
{
    return !((BOOL)(GetAsyncKeyState(key) & 0x8000));
}

What is setting off the virus scanner, and more precisely, what can I do to avoid that?

Answer 1

Check what happens when you recompile. If it the problem does not persist then it might be that some other process is tampering with your executable. Check why the virri scanner matches what pattern in your file and if your compiler really created that code (by dumping intermediate assembler of the compiler)

Hope that helps

Answer 2

I think it's a trend. There are only so much viruses an antivirus software can detect. So they started detecting a lot of false positives to remind the user how good the antivirus is and how lucky he is his computer was protected.

I also encounter this problem very often. Some users start complaining about false positives with an antivirus, I submit a report, an update is issued fixing the false positive and in a month the false positive is back.

The best solution is a digital signature. A digitally signed file comes with a guarantee that it's from a trusted source, so most antivirus applications don't report it as a problem. The downside is that you have to buy a code signing certificate.