Kaspersky deleting exe file

Kaspersky deleting exe file


Since the latest update of the Kaspersky anti-virus software my 32 bit executable is put into quarantine as soon as the linker creates it. The message stated is"Trojan program HEUR:Trojan.Win32.generic (modification)".

1) What is causing this?
2) How do I prevent this from happening?

This only occurs for 32 bit release configuration, the 64-bit and debug versions are unaffected.

Thanks in advance for any advice/feedback

10 posts / 0 new
Last post
For more complete information about compiler optimizations, see our Optimization Notice.

I would recommend contacting Kaspersky about this issue. It sounds like the 32bit executables have been put on a blacklist for some reason.

This smells a lot like issues folks also have with Sonar by Norton.
The "Proactive detection of unknown malware" through "Heuristic analysis" is the same as 'Sonar' which basically means that any exe on your system which isn't digitally signed is tagged as 'malware'
The old 'false positive' issue where they'd rather err on the side of caution.
Wreaks havoc for small software developers who don't digitally sign their software.
Either digitally sign your software or turn off that foolish "Heuristic analysis" option or add your exe's to the 'safe software' list.

Quoting bmchenry...Either digitally sign your software or turn off that foolish "Heuristic analysis" option or add your exe's to the 'safe software' list.

Another option to consider isto add a folder where your executables created to a list of skipped / excluded folders.

Best regards,

Is it possible to get the linker to sign native code? I've always used signtool in a separate step post-linking for this. If the exe is getting deleted as soon as the linker finishes writing it then my two step approach would still fail.

Sorrysince it is not related to a primary subject...

Hi Ian,

Quoting IanHIs it possible to get the linker to sign native code?

[SergeyK] It looks like No. There are three Linker options, 'Key File', 'Key Container' and 'Delay Sign',
but unfortunately they are used for outputassembly files. I never used these options.

I've always used signtool in a separate step post-linking for this.

[SergeyK] I alsoused 'SignTool.exe' to sign some ActiveX component.

Best regards,

I use Norton Internet Security at home and had this problem (as noted earlier) - I was able to tell Norton to ignore my projects folder, after which it left it alone for the purpose of "heuristic" scanning.

Steve - Intel Developer Support

Anti-virus software can intrude in other ways. I'm subjected to Symantec Endpoint security at work. I have a model that takes several hours to run which I was running once a week. I'd start it up and work on other things. Monday is staff meeting day, so I'd leave my desk for a while. After an update to the anti-virus software, I came back to my desk and discovered that the model had crashed because a file that it wanted to open was in use by some other process. First time this happened, I shrugged it off and just restarted the model and after a while it finished up. But next Monday, the same thing happened; model crashed while I'm at the staff meeting.

The cute part of this was that if I sat at my desk and watched, everything worked just fine.

I eventually figured out what was going on. In the model, a file wasbeing opened and closed periodically. This file was intended to
hold error messages, and if no error occured, the file would end up with alength of 0.

I can understand how this might be slightly suspicious, since a zero length file effectively reserves a cluster of disk space where something unpleasant can be hidden.

But this wasn't suspicious enough to make the program crash while I was
sitting at the keyboard doing other things.

If I wasn't typing away at the computer, the crash would occur right after the screen saver kicked in. I guess that Symantec figured that it could sniff things a bit harder when no one was around, and started looking at
some things that it normally didn't bother with. This sniffing tied up the file, and made the model crash.

The cure is the same one suggested here, exclude directories from the
virus scan.

Right - Norton calls this "idle time scanning". Other AV programs do something similar. I know you can disable this for Norton products, probably for some others as well.

Steve - Intel Developer Support

Obviously a false positive caused by kaspersky AV disassembling engine.Dissasembled pattern trigerred as closest as possible match to know malware pattern.
Kaspersky AV was some time ago crirticased for implementing unsafe SSDT hooking(patching) and for passing unchecked function pointers.

Leave a Comment

Please sign in to add a comment. Not a member? Join today