Author Topic: Delphi 7 binaries - Win32:Evo-gen[susp]  (Read 6427 times)

0 Members and 1 Guest are viewing this topic.

Offline ncs_sniper

  • Newbie
  • *
  • Posts: 1
Delphi 7 binaries - Win32:Evo-gen[susp]
« on: November 21, 2013, 11:27:04 PM »
Avast, or more precisely only it's filesystem shield, is evaluating binaries (both executables and DLLs) compiled in my Delphi 7 (personal) as supicious (Win32:Evo-gen[susp]). Not all of them, but enough to annoy me (~20-25%). They are catched while the delphi is saving them, effectively making compilation impossible. But when I add output folder to list of excluded files and successfuly compile them, and then scan them, they are all clear!
This happens for quite sime time, but lately, say 6 months, maybe a year, number of these false positives is increasing. Avast now marks years old binaries as malware, but they were clear all the time and did not change over night. And again, scan is clear, but should I copy them - avast interfere.
I have reported false positives many times, every time with the affected file, sometimes even with full source code. Nothing happened.
So here I am - what should I do to solve this problem? Please, do not say to add those files to exclusion lists, i have already done that, but what should I say to the users that happens to use my programs and the avast on the same system?

EDIT:
Some additional info:
- OS: WinXP Pro SP3, updated today
- Avast Free, program version 2014.9.0.2006, database 131121-1
- Delphi 7 Personal, ver. 7.0 (build 8.1)
- no, i do not have W32/Induc-A

I can upload some example binaries if it helps.
« Last Edit: November 22, 2013, 12:07:53 AM by ncs_sniper »

Offline gotty

  • Jr. Member
  • **
  • Posts: 26
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #1 on: November 24, 2013, 10:48:22 AM »
I am having exactly the same problem, but with binaries compiled with Visual Basic 6. But there seems to be no pattern to it at all - several programs are affected, yet two programs that are almost identical (including having the same dependencies) are treated differently. One is always detected as Win32:Evo-gen[susp], the other is not.

Like you, when the suspicious executable is scanned there is no threat found (although in my case this isn't caught when compiling, but only when executing).

If I "add the file to the scan exclusion list" it still gets detected.

The only solution has been to add the executable's folder to the Global Exclusions list, but this is far from satisfactory.

This only started happening in the past couple of days. I did notice that my Avast version was out of date, so I updated to the latest and it is still happening (so is as a result of a very recent virus update rather than being a problem with Avasy itself).

Unfortunately, for legal reasons, I can't submit the actual binaries as false positives.

GE

Offline Ron-ski

  • Newbie
  • *
  • Posts: 7
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #2 on: November 24, 2013, 02:58:37 PM »
I've been having the same problem, I work in Visual Studio 2012 writing VB.NET programs and Avast keeps snatching my compiled programs and say they have Win32:Evo-gen[Susp].

This started about a month ago and is getting worse, and makes working very difficult, Avast doesn't even seem to take notice of any exclusions I setup, I've told it to ask what to do when it finds a suspicious file, but no it just does it's own thing.

I have scanned the file with Avast, result is no threat found, I've uploaded the file to Virus Total and 47 virus scanners say it's clean.

See my thread here

Edit:

Actually looking in the virus chest, this has been happening since December 2012, it's littered with my programs and nothing much else.
« Last Edit: November 24, 2013, 03:04:53 PM by Ron-ski »

Offline Dima DD

  • Newbie
  • *
  • Posts: 5
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #3 on: November 27, 2013, 03:37:48 PM »
I have the same very annoying Evo-gen[susp] problem with a growing number of my Delphi 7 programs, especially UPX-compressed. I'm sure that something is wrong in the AVAST virus detection algorithm.
Moreover, AVAST allows only 4 actions (except automatic): quarantine, blocking, deleting or curing, "ignore" option is not suggested. :(
« Last Edit: November 27, 2013, 04:00:59 PM by Dima DD »

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1126
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #4 on: November 28, 2013, 07:43:09 AM »
Hi all,
This is a very delicate issue. Evogen technology is based on similarity of files, and the detections are released automatically. The technology has its very strong point, as it can detect files that have not yet been spotted by any antivirus, and therefore can predict "maliciousness" of new samples. While this technology is VERY successful, it also has rather more false positives. This is, however, not due to the detections being worse, but due to the fact that there are many more of them. We recognize the issue we are currently hearing from our users, and trying by every means to improve the situation. The technology is so advanced, though, that having fewer false positives can now be achieved only by having fewer detections, which is not the path we want to explore. I am sure, however, that Evogens will gradually get even better, as our cleanset is populated with samples that users believe are cleaned.
In the meantime, there are two options:
1. Submit every false positive sample to our viruslab (by the "report a false positive" button in the warning), or
2. Turn off Evogen detections completely. (You can do this by setting "DisableEvogen=1" in "[Scanner]" section of avast's .ini file.) Keep in mind that this action should be taken as a last resort, as you would be effectively cutting some of avast's means of fighting with malware, and only in situations where you are hindered at work (as ncs_sniper reports).
That's it, I hope I explained myself a bit:-)!
Honza

Offline Barcodeman

  • Newbie
  • *
  • Posts: 1
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #5 on: November 29, 2013, 04:01:29 PM »
Are you absolutely certain that's a false positive? I've had Avast for a couple of years ... and only in the last month its catching win-gen, and in the same timeframe my PC is now running from process inside of an svchost that is using 99% of my processor power ... according to task manager. It never stops on its own, but if  end process it ... my other processes return to normal. I'm suspicious that I (and maybe others) really DO have Evo-gen. Please advise ... I'm assuming you work for Avast.   Thks for a great product. I'm switiching to paid at in January

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33324
  • malware fighter
Re: Delphi 7 binaries - Win32:Evo-gen[susp]
« Reply #6 on: November 30, 2013, 12:38:24 AM »
This is a generic detection and there we have to weigh a couple of factors to come to a conclusive decision,
"fp or not fp and that is the tricky question" to pose the Shakespearean dilemma here.
There are some evaluation points to help us.

Here a number of attributes that FileRep detection may consider:
File changes (Emergence)
Number of times that file has been executed so far (Prevalence)
Spreading of the file
Source URI
Status of digital signatures

So unsigned files would make the detection more likely in this respect.
Then there is the packer and protection issue that makes the Delphi detections complicated and false positive prone.
The best action here is reactive and to report the likely false positive,
Some answers can be found through scanning these files here: http://anubis.iseclab.org/?action=home

Quote
There are several reasons why an Anti Virus product might trigger on a Delphi produced exe, a few common reasons are:

Lots of viruses are written in Delphi and therefore your exe might have some code parts that look the same as existing viruses.
The import table of your program is used to determine what your exe might do, for instance linking to Credentials Management or Disk Management functions triggers some AV's.
As suggested before try scanning your release version with online services such as Virustotal or Jotti and always report your false positives to vendors instead of trying to prevent being a false positive. My experience is that AV vendors react quite fast on submission.
Quote info credits go to Remco Weijnen posting on StackOverflow Q&A

polonus
« Last Edit: November 30, 2013, 12:52:32 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!