This is Founder's blog - please Subscribe RSS - Founder's blog if you like this post - About

Why Developers Hate Antiviruses

Jan 25 2012
I hate antivirus software. I really do. Like almost every desktop software developer.

And the reasons are:

#1 - False-positive alarms


I'm sick and tired that my software is being detected as a "virus"...
Why?

Because if your software has some kind of copy-protection built-in (encrypts and stores serial numbers, hides parts of the source code to protect from reverse engineering etc.) - an antivirus will most likely detect some "very dangerous" trojan.

Because if your software tracks mouse or monitors keyboard (like our AutoText for instance) - an antivirus will detect a malware.

Because if your software is some kind of a "compiler" - i.e. it's capable of building its own EXE-files - an antivirus will detect a self-replicating virus. Oh, and all your EXE-files will also be marked as viruses by the way (since you're most likely using a "self-executing-unpacker-code + data" architecture, which is considered a risk-factor by most antiviruses, no idea why).

Because if your software uses the "ClickOnce" technology (an auto-update framework that comes from Microsoft and is built-in to Windows!) - an antivirus will detect a "trojan downloader" and block your website in some cases.

These are just the few... And these are the actual reports I deal with every week. "Help, AVG blocks your installer saying it's a Trojan!", "Help, Opera has just blocked the downloaded file!".

EVERY. FUCKING. WEEK.

#2 - Antivirus vendors not dealing with false-positive reports properly


Now, dear antivirus companies! I understand - Users come first. Their security is your utmost concern. If someone sends you a virus sample - dealing with it is your #1 priority. I understand. I'm one of your paying users after all.

But please don't forget about us, the developers. We do send samples as well - the "false-positive" samples. We deserve some response. Fine, let it be within a week. Two weeks. A month. Two months. But please react!

Instead, some of you do not even have a feedback form or a forum on your website so we can upload a false-positive... And those who do, sometimes require us to send you our code-signing certificates, home-addresses, company papers and photo-IDs... We're guilty by suspicion. Everything is a virus until the author proves the opposite.

PS. In fairness, though, some antivirus companies do have these feedback forms in place, have nice developer support, and react promptly.

#3 - Antivirus my ass!


Create a simple C program with a code like this:

#include
#include

int __stdcall WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
  return MessageBoxA(0,(std::string("->")+GetCommandLineA()+"<-").c_str(),"Cmdline",0);
}



Compile it with a free "express" edition of Visual Studio 2008:
cl -Os -EHs-c- -GR- -MD test.cpp /link -fixed:no user32.lib -incremental:no -out:test.exe

Now test this program with your favorite antivirus. Voila! A "TR/ATRAPS.Gen" has been detected.

Congrats! You've just wrote your first virus!



Back to the blog or Subscribe RSS - Founder's blog if you liked the article


comments powered by Disqus