6

I have a C# app that is getting flagged by multiple anti-virus apps (AVG and Norton so far) as "behaving suspiciously". I don't have any experience with this, and there are lots of things I suppose could be considered "suspicious" (registry access, IPC with a local service using named pipes, copying files to local app data folder, etc), but I don't know where to start.

Note that the apps aren't saying my app is a virus or infected with a virus - but that it is suspicious.

How can I get an idea of which part of my app is causing these issues?

Daniel Schaffer
  • 56,753
  • 31
  • 116
  • 165
  • Do you use code snipets from the web? I downloaded a couple of times the source of programmes which were deleted by my anti virus app. Sometimes this is a wrong alert. Try to contact the companies. One of my apps was also treated like that. – rekire Feb 15 '12 at 17:05
  • If an app is written too cleverly, i.e. polymorphism or reflection or the code modifies it's own behaviour then it can be flagged by certain anti-viruses. including empty version of your data files with your installer could remove the last issue you mentioned. – Joseph Le Brech Feb 15 '12 at 17:08
  • 2
    Yet another question completely related to development that was closed unjustly by @casperOne... – BlueRaja - Danny Pflughoeft Jun 19 '13 at 16:04

2 Answers2

2

I'd recommend troubleshooting steps.

If you can reproduce the problem reliably on your dev machine, start commenting out code sections until it stops happening. Then start uncommenting until it happens again. That will at least narrow down what section of your code is causing the problem.

fbueckert
  • 412
  • 1
  • 6
  • 22
  • 2
    I wonder how I can randomly comment out some code in a reasonably complex app. (And get it compiled, of course.) – Dennis Traub Feb 15 '12 at 17:10
  • @DennisTraub yes, that will get messy very quickly. For example, the named pipe IPC is pretty foundational to the app - there's no way I can just comment that out and still have the rest of the app work. – Daniel Schaffer Feb 15 '12 at 17:15
  • @Daniel: So make a copy of the app and trim out everything that isn't the named pipe IPC. IPC is awfully complex through and full of potential security holes. Sending a binary message is often much simpler and easier to prove correct. And then you could test with random data in your message, to find out whether it's the named pipe itself triggering the malware flag. – Ben Voigt Feb 15 '12 at 17:19
  • @BenVoigt What do you mean by "sending a binary message"? – Daniel Schaffer Feb 15 '12 at 17:32
  • @Daniel: Oops, I confused "IPC" with "RPC" (which is a function call layered on top of IPC mechanisms). You probably already are using a binary message, that's fine. – Ben Voigt Feb 15 '12 at 17:38
  • If that isn't an option, conversely, start pulling modules out of your app and run them independently. If you have test cases built in, that may do the trick. Either way, short of an antivirus telling you what it doesn't like (unlikely), it's going to be a fairly time-intensive process. – fbueckert Feb 15 '12 at 17:43
2

You will need to contact the antivirus companies to whitelist your application. Unfortunately this will need to be done for each one of them separately and they have their own process. Here are the links for AVG and Norton.

This process usually takes time so you may want to account for that.

sarvesh
  • 2,743
  • 1
  • 20
  • 30