VS2015 executable become virus (with potential solution but don't know why)

Question

This is one of the weirdest things ever happen to me in my programmer career.

I am working on a MFC project, and recently my antivirus software BitDefender sees my executable as virus " Gen:Variant.Razy.47148 "

Here is the scan result from virustotal.com

Antivirus   Result  Update
ALYac       Gen:Variant.Razy.47148  
Ad-Aware    Gen:Variant.Razy.47148  
Arcabit     Trojan.Razy.DB82C   
BitDefender Gen:Variant.Razy.47148  
Emsisoft    Gen:Variant.Razy.47148 
F-Secure    Gen:Variant.Razy.47148  
GData       Gen:Variant.Razy.47148  
eScan       Gen:Variant.Razy.47148

*the rest are clear result

I have a few configurations, this happens to only one of them. So I then compare the setting difference, turns out Linker--Debugging--Generate Debug Info is the problem. When it is "No", not virus, when it is Yes, virus.
Then I look at what exactly it does, it says "This option enables creation of debugging information ofr the .exe file or the DLL." Detailed description from MS https://msdn.microsoft.com/en-us/library/xe4t6fc1.aspx I don't see any possible way this make my executable become virus.

More you might want to ask:

1. Hard drive scanned clear by multiple well-known antivirus program.

2. Executable is clear if I turn that to "No" without doing any other changes. Which means that all those .c and .h I included are clear.

3. I know this is kind of like a false positive virus since only some "unnamed" antivirus software report this. BUT unfortunately, I have to use BitDefender, and some of those computer that my program will be running at are using it as well.(my program is just a debugging tool for internal use only)

Answer 1

If nothing else on your hard drive is being flagged as malware by your antivirus, then this "detection" is most probably because something in your program is triggering a heuristic detection routine inside the AV.

This "something" might be a string you've used, a particular sequence of machine instructions, or even a function name. The fact that the AV would no longer flag your program when you turn off the debug information might suggest that the trigger is indeed something that would get stripped off in a non-debug build (eg function names.)

This is not a compiler bug or something that can be solved by them. You can (and should) report your executable file as a false positive to the AV vendor (the exact file that is being reported as having a virus.)

As I said before, this is not - in all probability - a real infection, so you needn't worry about that after the steps you've already taken.

You've mentioned that when you build your program without debug info, it will not be flagged or reported by the antivirus. Can you ship your program without debug information? This is how almost all software gets distributed anyways. If you can, then you're in the clear with your users; your debug-info-less program will not be reported as a virus.

Answer 2

@Peter, thank you so much for the tip about "Linker--Debugging--Generate Debug Info". In case there is any doubt about this being a false positive issue, I happened upon this thread while trying to prove I hadn't infected my workstation. The problem happened when I created a simple VS2015 project (Win32 Console Application) without adding the headers for ATL or MFC. The program contained only the boilerplate code generated by the template.

Virus was detected by Symantec Endpoint Protection as Heur.AdvML.B.

Strangely, adding the headers for ATL and/or MFC produces an exe with "no virus".

Also, creating a similar project in VS2013 (without ATL/MFC) also produces an exe that is "clean".

Hope this helps somebody else to not waste half a day hunting.

Answer 3

Could there be some telemetry/"phone-home" going on that virus scanners are detecting? See this blog posting for more info on that discovery in VS2015.