I had the exact same problem. Since yesterday, the program that I have compiled 100 times has stopped working, started giving virus warnings and locked me out.
Heur.AdvML.b virus detected by Norton on a newly compiled C++ console application in debug mode. The executable is marked as malware by several engines on virustotal.
Hi,
I am trying to compile the following C++ program in Visual Studio 2019 community edition in debug mode. I am generating an x86 binary, but the problem exists with x64 binaries as well.
#include <windows.h>
#include <iostream>
#include <cstdio>
int main()
{
SYSTEM_INFO si;
::GetNativeSystemInfo(&si);
printf("Number of Logical Processors: %d\n", si.dwNumberOfProcessors);
printf("Page Size: %d Bytes\n", si.dwPageSize);
printf("Processor Mask: 0x%p\n", (PVOID) si.dwActiveProcessorMask);
printf("Minimum process address: 0x%p\n", si.lpMinimumApplicationAddress);
printf("Maximum process address: 0x%p\n", si.lpMaximumApplicationAddress);
return 0;
}
Norton 360 marks this as a malware. I am typing the Norton 360 report below.
Resolved Threats:
No risks have been resolved
Unresolved Threats:
Heur.AdvML.B
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Not Attempted
-----------
1 Process
D:\Programs\Console1\ConsoleApplication1\Debug\ConsoleApplication1.exe - No action taken
1 Infected File
D:\Programs\Console1\ConsoleApplication1\Debug\ConsoleApplication1.exe - No action taken
1 Browser Cache
The .exe file is marked as malicious by several engines on virus total as well. Please see here: https://www.virustotal.com/gui/file/199d8cc116178b0c9b5e0c11514c6a6eb8fb84def59b60343b22a398482afb46
Is this a case of false positives? How can so many engines get this wrong?
Or has my computer been infected and is something injecting malware into the executables that visual studio produces?
Developer technologies | C++
2 answers
Sort by: Most helpful
-
-
Dave Turnbull 20 Reputation points
2024-10-21T14:58:20.47+00:00 I was intrigued by Heur.AdvML.B so I set up an experiment. I created two identical executable files. The first I left the Windows default icon. The second I changed the icon using a free copy of IcoFX. Norton immediately quarantined the second file quoting our old friend above. So I repeated the procedure with Norton turned off and opened both files in Notepad ++ and ran a comparison. The difference in both the amount and positioning of the code in both files was extensive - far more than could be explained by different icons. Then with both files still open in Notepad ++ I turned Norton back on. This time instead of quarantining the file (probably unable to do so because the file was open), Norton removed Heur.AdvML.B from the file. This was proved by running a second comparison and noting the change. And the 'clean' file with the replacement icon in place subsequently worked properly with Norton untroubled.