Heur.AdvML.b virus detected by Norton on a newly compiled C++ console application in debug mode. The executable is marked as malware by several engines on virustotal.

ARV 1 Reputation point
2021-11-03T12:16:42.507+00:00

Hi,

I am trying to compile the following C++ program in Visual Studio 2019 community edition in debug mode. I am generating an x86 binary, but the problem exists with x64 binaries as well.

#include <windows.h>

#include <iostream>
#include <cstdio>

int main()
{
    SYSTEM_INFO si;
    ::GetNativeSystemInfo(&si);

    printf("Number of Logical Processors: %d\n", si.dwNumberOfProcessors);
    printf("Page Size: %d Bytes\n", si.dwPageSize);
    printf("Processor Mask: 0x%p\n", (PVOID) si.dwActiveProcessorMask);
    printf("Minimum process address: 0x%p\n", si.lpMinimumApplicationAddress);
    printf("Maximum process address: 0x%p\n", si.lpMaximumApplicationAddress);

    return 0;
}

Norton 360 marks this as a malware. I am typing the Norton 360 report below.

Resolved Threats:
No risks have been resolved

Unresolved Threats:
Heur.AdvML.B
 Type: Anomaly
 Risk: High (High Stealth, High Removal, High Performance, High Privacy)
 Categories: Heuristic Virus
 Status: Not Attempted
 -----------
 1 Process
D:\Programs\Console1\ConsoleApplication1\Debug\ConsoleApplication1.exe - No action taken
 1 Infected File
D:\Programs\Console1\ConsoleApplication1\Debug\ConsoleApplication1.exe - No action taken
 1 Browser Cache

The .exe file is marked as malicious by several engines on virus total as well. Please see here: https://www.virustotal.com/gui/file/199d8cc116178b0c9b5e0c11514c6a6eb8fb84def59b60343b22a398482afb46

Is this a case of false positives? How can so many engines get this wrong?

Or has my computer been infected and is something injecting malware into the executables that visual studio produces?

Developer technologies | C++
{count} votes

2 answers

Sort by: Most helpful
  1. Savas Ozturk 1 Reputation point
    2022-10-25T19:42:10.907+00:00

    I had the exact same problem. Since yesterday, the program that I have compiled 100 times has stopped working, started giving virus warnings and locked me out.

    0 comments No comments

  2. Dave Turnbull 20 Reputation points
    2024-10-21T14:58:20.47+00:00

    I was intrigued by Heur.AdvML.B so I set up an experiment. I created two identical executable files. The first I left the Windows default icon. The second I changed the icon using a free copy of IcoFX. Norton immediately quarantined the second file quoting our old friend above. So I repeated the procedure with Norton turned off and opened both files in Notepad ++ and ran a comparison. The difference in both the amount and positioning of the code in both files was extensive - far more than could be explained by different icons. Then with both files still open in Notepad ++ I turned Norton back on. This time instead of quarantining the file (probably unable to do so because the file was open), Norton removed Heur.AdvML.B from the file. This was proved by running a second comparison and noting the change. And the 'clean' file with the replacement icon in place subsequently worked properly with Norton untroubled.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.