AVG Accuses Infection in Windows Service Application If Add Command to Windows Firewall Is Present

8

I have an application that is a Windows Service (Windows Service) and per feature account I'm looking for to add a method to add it to Windows

So:

procedure AddInFirewall(cApplicationName, cEntryName: string);
var
  cAppName: string;
begin
  if Trim(cApplicationName) = '' then
    cAppName := Application.ExeName
  else
    cAppName := cApplicationName;

  if Trim(cEntryName) = '' then
    begin
      cEntryName := ExtractFileName(cAppName);
    end;

  WinExec(PAnsiChar(AnsiString('netsh firewall delete allowedprogram ' + cAppName)), SW_HIDE);
  WinExec(PAnsiChar(AnsiString('netsh advfirewall firewall delete rule name="'+cEntryName+'" program="'+cAppName+'"')), SW_HIDE);

  WinExec(PAnsiChar(AnsiString('netsh firewall add allowedprogram '+cAppName+' "'+cEntryName+'" ENABLE')), SW_HIDE);
  WinExec(PAnsiChar(AnsiString('netsh advfirewall firewall add rule name="'+cEntryName+'" dir=in action=allow program="'+cAppName+'" enable=yes')), SW_HIDE);
end;

procedure TServerModule.DataModuleCreate(Sender: TObject);
begin
  AddInFirewall(Application.ExeName, 'MeuServico');
  FClients := TList.Create;
  StartService;
end;

However, the blessed AVG antivirus is complaining that it is infected with:

  

Win32 / DH {IFVEIS4}

Just comment the lines with WinExec and compile again that it no longer complains of infection.

How can I resolve this problem?

    
asked by anonymous 15.05.2014 / 15:54

2 answers

6

This code snippet WinExec(....) is well known ( handled / beaten ) by antivirus because it is doing this in the background, antivirus is right to consider its application as malware .

Try to approach this in some other way, such as using the Windows Firewall APIs , more precisely using the interfaces INetFwPolicy2 and

17.05.2014 / 14:55
7

If an application requires a special firewall configuration, the configuration must be done by an administrator. In your case, the antivirus is correct in assuming that your program is malware.

Think about it. If any application could modify the rules of Firewall with a specific call to some API, without alerting any protection system ... What would prevent me from distributing some application, a freemium game maybe, that opened all the doors of your firewall and enabled all protocols?

In your case, when adding an application, Windows can take care of this automatically - UAC goes up and asks the user to confirm it to add the application to the whitelist. But remove a rule from Firewall programmatically? No. Just and nothing more than not.

    
15.05.2014 / 16:34