Monday, 25 April 2011

NIS 2010 SONAR raised when running executables compiled with Delphi 2010

Going on with my previous post (Signing your Delphi applications with Microsoft Signtool) in this post I'll explain different solutions to avoid false positives by the Antivirus. I've recently got an alert from my NIS 2010 (Norton Internet Security) SONAR indicating that my application contains a HackTool and it has been processed and eliminated by SONAR (I'm trying to run one of my applications and now is a high-risk program and should be deleted every time I try to run it):

Even though it socks, you need to go through the NIS and configure it using the instructions from here.

1.   Executable files created by compilers etc on development machines are deleted

We have identified the issue and are making incremental changes to fix the problem. Please ensure that you have the latest NIS patch installed as that should minimize the occurrence of the issue.

In addition to this, developers should exclude dev directories from security scans using the following steps:

  • On the main UI panel, under Computer click Settings. This will bring up the Settings dialog box.
  • Under Scan Exclusions click Configure. This will display the Scan Exclusions dialogue box.
  • Under the lower-half of the screen under Auto-Protect Exclusions click the Add button. This will bring up a dialogue to add a new item.
  • Add the folder you want to exclude from SONAR.

If you are certain that SONAR has incorrectly quarantined a file, you may restore this file to its original location by selecting the appropriate entry in the Quarantine Log and clicking Options. This will display the Security Risk Details dialog:

Click Restore this file. This will show the Quarantine Restore dialog. Ensure that the Exclude this risk from future scans is checked. The file will be restored to its original location and will no longer be detected by SONAR. According to Symantec this is unfortunately a known problem and they are working on a fix for it. From now on the best thing you can do is to set the scan exclusions in the settings, with this, those folders will not be scanned and the files will not be false-detected.

It's important to update the Antivirus to the latest version because most of these issues are already solved and there is no need on doing this.

Other important thing is to bear in mind the digital signature for our applications. If our executables are digitally signed you won't have the false positive problem with the AV because the application is trusted. Please, go on with the related links section to dig more with this issue and do not hesitate to comment if you have any doubt.

NIS version:

Related links:


Post a Comment