Why Developers Hate Antiviruses
by Alex Yumashev ·
Jan 25 2012
I hate antivirus software. I really do. Like almost every desktop software developer.
And the reasons are:
I'm sick and tired that my software is being detected as a "virus"...
Because if your software has some kind of copy-protection built-in (encrypts and stores serial numbers, hides parts of the source code to protect from reverse engineering etc.) - an antivirus will most likely detect some "very dangerous" trojan.
Because if your software tracks mouse or monitors keyboard (like our AutoText for instance) - an antivirus will detect a malware.
Because if your software is some kind of a "compiler" - i.e. it's capable of building its own EXE-files - an antivirus will detect a self-replicating virus. Oh, and all your EXE-files will also be marked as viruses by the way (since you're most likely using a "self-executing-unpacker-code + data" architecture, which is considered a risk-factor by most antiviruses, no idea why).
Because if your software uses the "ClickOnce" technology (an auto-update framework that comes from Microsoft and is built-in to Windows!) - an antivirus will detect a "trojan downloader" and block your website in some cases.
These are just the few... And these are the actual reports I deal with every week. "Help, AVG blocks your installer saying it's a Trojan!", "Help, Opera has just blocked the downloaded file!".
EVERY. FUCKING. WEEK.
Now, dear antivirus companies! I understand - Users come first. Their security is your utmost concern. If someone sends you a virus sample - dealing with it is your #1 priority. I understand. I'm one of your paying users after all.
But please don't forget about us, the developers. We do send samples as well - the "false-positive" samples. We deserve some response. Fine, let it be within a week. Two weeks. A month. Two months. But please react!
Instead, some of you do not even have a feedback form or a forum on your website so we can upload a false-positive... And those who do, sometimes require us to send you our code-signing certificates, home-addresses, company papers and photo-IDs... We're guilty by suspicion. Everything is a virus until the author proves the opposite.
PS. In fairness, though, some antivirus companies do have these feedback forms in place, have nice developer support, and react promptly.
Create a simple C program with a code like this:
Compile it with a free "express" edition of Visual Studio 2008:
Now test this program with your favorite antivirus. Voila! A "TR/ATRAPS.Gen" has been detected.
Congrats! You've just wrote your first virus!
And the reasons are:
#1 - False-positive alarms
I'm sick and tired that my software is being detected as a "virus"...
- ...in spite of being signed with a trusted Verisign certificate.
- ...in spite of being .NET-based (a platform which is not very "virus-authoring-friendly", so to speak) and not even using any code-obfuscation.
- ...in spite of using the "ClickOnce" installation-technology (in other words - the code runs in a sandbox).
- etc.
Because if your software has some kind of copy-protection built-in (encrypts and stores serial numbers, hides parts of the source code to protect from reverse engineering etc.) - an antivirus will most likely detect some "very dangerous" trojan.
Because if your software tracks mouse or monitors keyboard (like our AutoText for instance) - an antivirus will detect a malware.
Because if your software is some kind of a "compiler" - i.e. it's capable of building its own EXE-files - an antivirus will detect a self-replicating virus. Oh, and all your EXE-files will also be marked as viruses by the way (since you're most likely using a "self-executing-unpacker-code + data" architecture, which is considered a risk-factor by most antiviruses, no idea why).
Because if your software uses the "ClickOnce" technology (an auto-update framework that comes from Microsoft and is built-in to Windows!) - an antivirus will detect a "trojan downloader" and block your website in some cases.
These are just the few... And these are the actual reports I deal with every week. "Help, AVG blocks your installer saying it's a Trojan!", "Help, Opera has just blocked the downloaded file!".
EVERY. FUCKING. WEEK.
#2 - Antivirus vendors not dealing with false-positive reports properly
Now, dear antivirus companies! I understand - Users come first. Their security is your utmost concern. If someone sends you a virus sample - dealing with it is your #1 priority. I understand. I'm one of your paying users after all.
But please don't forget about us, the developers. We do send samples as well - the "false-positive" samples. We deserve some response. Fine, let it be within a week. Two weeks. A month. Two months. But please react!
Instead, some of you do not even have a feedback form or a forum on your website so we can upload a false-positive... And those who do, sometimes require us to send you our code-signing certificates, home-addresses, company papers and photo-IDs... We're guilty by suspicion. Everything is a virus until the author proves the opposite.
PS. In fairness, though, some antivirus companies do have these feedback forms in place, have nice developer support, and react promptly.
#3 - Antivirus my ass!
Create a simple C program with a code like this:
#include
#include
int __stdcall WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
return MessageBoxA(0,(std::string("->")+GetCommandLineA()+"<-").c_str(),"Cmdline",0);
}
Compile it with a free "express" edition of Visual Studio 2008:
cl -Os -EHs-c- -GR- -MD test.cpp /link -fixed:no user32.lib -incremental:no -out:test.exeNow test this program with your favorite antivirus. Voila! A "TR/ATRAPS.Gen" has been detected.
Congrats! You've just wrote your first virus!