Windows Service and auto-update process being accused of viruses by Avast

2

My Windows Service application in Delphi 6 is being accused as a virus by Avast in the auto-update process.

Soon after the build process of building the executable, Avast already has a virus. He accuses the Win32: Evo-gen [Susp] .

The process is through a thread and by this method:

procedure TThreadAutoUpdate.Update;
var
  fileDownload: TFileStream;
  bDownloaded: boolean;
  fileBat: TStringList;
  cAppName: string;
  cBatName: string;
begin
  cAppName := Application.ExeName;
  if FileExists(cAppName+'.tmp') then
    DeleteFile(PChar(cAppName+'.tmp'));
  FileDownload := TFileStream.Create(cAppName+'.tmp', fmCreate);
  try
    AddLog('Logando ...');
    FIdFTP.Host := 'ftp://fakeDeDownload.com.br';
    FIdFTP.{$if CompilerVersion < 16}User{$else}Username{$ifend} := 'update';
    FIdFTP.Password := 'update';
    FIdFTP.Connect({$if CompilerVersion < 16}true{$ifend});
    try
      FIdFTP.Get('MyService.exe', FileDownload);
      AddLog('Efetuando download ...');
      if FIdFTP.Connected then
        FIdFTP.Disconnect;
      bDownloaded := True;
    except
      on e: Exception do
      begin
        bDownloaded := False;
        AddLog('Não foi possível atualizar o serviço');
        AddLog('Motivo: ' + e.Message);
      end;
    end;
  finally
    FreeAndNil(FileDownload);
  end;

  if bDownloaded then
    begin
      AddLog('Download efetuado');
      AddLog('Trocando os executáveis');
      fileBat := TStringList.Create;
      try
        fileBat.Clear;
        cBatName := THelpers.GetTempDirectory + ExtractFileName(cAppName) + '.bat';
        fileBat.Add('net stop MyServiceSvc');
        fileBat.Add(':Label1');
        fileBat.Add('@echo off');
        fileBat.Add('del "'+cAppName+'"');
        fileBat.Add('taskkill /f /im "'+ ExtractFileName(cAppName) +'"');
        fileBat.Add('if Exist "' + cAppName + '" goto Label1');
        fileBat.Add('Move "'+cAppName+'.tmp'+'" "'+cAppName+'"');
        fileBat.Add('net start MyServiceSvc');
        fileBat.Add(':Label2');
        fileBat.Add('del "' + cBatName + '"');
        fileBat.Add('if Exist "' + cBatName + '" goto Label2');
        fileBat.SaveToFile(cBatName);
        WinExec(PAnsiChar(AnsiString(cBatName)), SW_HIDE);
        AddLog('Atualização efetuada com sucesso');
      finally
        fileBat.Free;
      end;
    end;
end;

But if I leave this commented line exactly, then the executable is no longer charged:

// FIdFTP.Get('MyService.exe', FileDownload);

Does anyone have an idea of what might be happening?

    
asked by anonymous 27.05.2014 / 16:59

1 answer

2

You're not the only one facing this problem, see this topic of the Avast forum. The antivirus is detecting your application as a trojan downloader , it is right to do so.

To work around the problem, the correct is to contact the antivirus manufacturer and report the false positive. Click here to open the Avast contact form.

Anattemptthatmaybeeffectiveistocallthefunctionthatdynamicallypowerstheantivirus.The FtpGetFile function of unit WinInet has the same goal as the Get method of IdFtp .

Dynamically loading FtpGetFile function:

 
Uses Windows;

const
WNETDLL = 'wininet.dll';
WNETFNC = 'FtpGetFileW';

implementation

type
  HINTERNET = Pointer;
  PHINTERNET = ^HINTERNET;
  LPHINTERNET = PHINTERNET;
  INTERNET_PORT = Word;
  PINTERNET_PORT = ^INTERNET_PORT;
  LPINTERNET_PORT = PINTERNET_PORT;

function MyFtpGetFile(hConnect: HINTERNET; lpszRemoteFile: LPWSTR;
  lpszNewFile: LPWSTR; fFailIfExists: BOOL; dwFlagsAndAttributes: DWORD;
  dwFlags: DWORD; dwContext: DWORD_PTR): BOOL;
Var
 F: function(hConnect: HINTERNET; lpszRemoteFile: LPWSTR;
  lpszNewFile: LPWSTR; fFailIfExists: BOOL; dwFlagsAndAttributes: DWORD;
  dwFlags: DWORD; dwContext: DWORD_PTR): BOOL stdcall;
begin
  F := GetProcAddress(LoadLibrary(pchar(WNETDLL)), pchar(WNETFNC));
  Result := F(hConnect, lpszRemoteFile, lpszNewFile, fFailIfExists, dwFlagsAndAttributes,
  dwFlags, dwContext);
end;

Here is an example of using the FtpGetFile :

  
Uses Windows, WinInet;

const FtpUrl = 'ftp://ftp.foo.bar/';
const FtpServer = 'ftp.foo.bar';

Function DownloadFtp(const Usuario, Senha, RemoteFile, LocalFile: string): Boolean;
Var
 HI, FI: HINTERNET;
Begin
Result := False;
Try
 HI := InternetOpen('Ftp', INTERNET_OPEN_TYPE_DIRECT, nil, nil, 0);
 if Assigned(HI) then
   FI := InternetConnect(HI, pchar(FtpServer), INTERNET_DEFAULT_FTP_PORT,
   pchar(Usuario), pchar(Senha), INTERNET_SERVICE_FTP, 0, 0);

   Result := FtpGetFile(fi, PChar(RemoteFile), PChar(LocalFile), False, 0,
   FTP_TRANSFER_TYPE_ASCII, 0); // Neste exemplo será baixado um arquivo de texto
Finally
 InternetCloseHandle(HI);
 InternetCloseHandle(FI);
End;
End;

On a button put the code:

 
Var
 Descarregado: Boolean;
begin
 Descarregado:= DownloadFtp('', '', '/remoteFile.txt', 'localFile.txt');
 if Descarregado then
   ShowMessage('Arquivo baixado com sucesso!')
 else
   ShowMessage('Erro ao baixar arquivo.');

In this example, a text file ftp://ftp.foo.bar/remoteFile.txt and save it to the executable directory with the name localFile.txt .

Basically that's it, you have to implement a lot more things, for more information about the subject, read the article below:

27.05.2014 / 17:56