My protected application is flagged as a virus. What can I do?

<< Click to Display Table of Contents >>

Navigation:  Themida > FAQ > Protection Options >

My protected application is flagged as a virus. What can I do?

We have been fighting with false positives since the beginning of our protection. Virus/malware writers usually use a software protector to protect their code and make it "invisible" to antivirus. Due to this, antivirus companies are more strict on packed files.

 

Also, some (not widely known) antivirus, have a very bad heuristic and they even report as virus any application with a slightly different PE header. They don't even look at the code inside the application. They also ignore any file that is digitally signed and report it as virus.

 

If you can afford to digitally sign your protected application, that should be the best solution to fight against false positives. Most (widely used) antivirus trust digitally signed files and they are not reported as false positive.

 

In any case, if your protected application is flagged as virus, please, try the following steps:

 

1) Include version information in your application before compiling it (company name, version, etc) as some antivirus do not like compressed applications without version information on it

 

2) Change the icon of your application in case that you are using a default compiler icon, as some antivirus shows false positive detections if you leave a standard icon.

We have seen some cases where just changing a single pixel in the application icon removes a false positive.

 

3) Add an internal "pre-loader" to your protected application. These "pre-loaders" are available for our registered customers. Add the following option in the Advanced Options panel:

 

OPTION_ADVANCED_HEURISTIC_PRELOADER=PATH_TO_YOUR_PRELOADER_DLL

 

Protect your application. If you still have problems with false positives or want to try to decrease the number of false positives, go to step 4)

 

4) Add the following option in the Advanced Options panel:

 

OPTION_ADVANCED_HEURISTIC_PRETTY_NAMES=YES

OPTION_ADVANCED_HEURISTIC_FAKE_RESOURCES=YES

 

Protect your application. If you still have problems with false positives or want to try to decrease the number of false positives, go to step 5)

 

5) Add the following option in the Advanced Options panel:

 

OPTION_ADVANCED_HEURISTIC_ENTRY_FIRST_SECTION=YES

 

Unfortunately, there are not a specific set of options that works better for all applications. Some applications report less false positives when protecting using just one of the above options and if more options are added, more false positives are reported. Other applications require to set *all* the above options to have less false positives.