Windows Defender False Positives

Hi

I’m having trouble with Windows Defender identifying the GUISample.exe demo application you ship with your Delphi examples as trojan.

Windows Defender quarantines the file, which means it just kills the process. I don’t think this has anything to do with the specific development environment (Delphi in this case). I’ve only observed this issue with the LexActivator GUISample.exe program,which has now trigged the AV three times in the last week (IsLicenseGenuine is called at startup).

When this happens, Windows Defender just kills the process (i.e.: the program just closes without warning). Obviously I can’t have this happening on client machines.

Have you had any issues with false positives in the past?

Any advice?

Thanks

Hello @deonvn

It has been a long time since someone reported issues with antivirus false positives. While we have taken steps to ensure that they do not occur, we do not have complete control over them and cannot completely avoid them.

In our experience, signed builds are less likely to be falsely marked as a virus by antivirus software. Since these are local builds, you can add the development folder to an allowlist in Defender.

OK. Our production builds are signed, so I guess we’ll just have to wait and see if users start reporting issues once we’ve released.

Just to confirm:

  1. The ONLY time a background thread is created to synchronize with the server is after IsLicenseGenuine is called.
  2. IsLicenseValid does NOT create a background thread, but only checks local data.
  3. ActivateLicense contacts the server and performs a sync but does NOT create a background thread.

Is all of the above correct?

I don’t want the background synchronization thread running in my main app at all. I’m thinking of creating a second “license check” executable file to ship with our main program, and then only call IsLicenseGenuine in that excutable. If that succeeds it will write the license data to local storage, from where the main program can than use IsLicenseValid to retrieve the lolcal license data that was populated by the “license check” executable. As long as both executables use the same Product ID and Product Data it should work, right?

My thinking is that if an AV program kills the update process, at least it will only kill and quarantine the “license check” executable, and not our main app.

Is there any reason why I should not do this?

Hi @deonvn

The ONLY time a background thread is created to synchronize with the server is after IsLicenseGenuine is called.

Server synchronization is initiated when either the ActivateLicense() is invoked or when IsLicenseGenuine() is invoked. Since the ActivateLicense() would only be invoked initially at the time of activation, the subsequent opening of the application won’t have server synchronization due to this function.

IsLicenseValid does NOT create a background thread, but only checks local data.

Yes, IsLicenseValid() does not invoke any server synchronization, it only validates the local activation data.

ActivateLicense contacts the server and performs a sync but does NOT create a background thread.

No, ActivateLicense() also triggers the server synchronization. While ActivateLicenseOffline() does not.

Is there any reason why I should not do this?

Server synchronization must not be the cause of false detection by AV software, leading to the termination of processes. Additionally, in the event of utilizing the aforementioned method, if a license update occurs on the server side, restarting the main application is necessary for the changes to take effect. This is because the validation process relies on cached data post-initial validation.

Hi Ahmad

Thanks for the reply, but I think we’re missing each other.

Server synchronization is initiated when either the ActivateLicense() is invoked or when IsLicenseGenuine() is invoked. Since the ActivateLicense() would only be invoked initially at the time of activation, the subsequent opening of the application won’t have server synchronization due to this function.

I understand that ActivateLicense() also syncs with the server - what I am trying to figure out is when a background synchronisation thread is spawned that will then repeatedly resync every X number of seconds. My understanding was that IsLicenseGenuine() spawns such a background thread, but ActivateLicense() does not spawn a new thread to keep on syncing at intervals. Is that correct?

No, ActivateLicense() also triggers the server synchronization. While ActivateLicenseOffline() does not.

I understand that ActivateLicense() triggers syncronisation, but does it also trigger a background thread to keep syncronising at intervals?

Additionally, in the event of utilizing the aforementioned method, if a license update occurs on the server side, restarting the main application is necessary for the changes to take effect. This is because the validation process relies on cached data post-initial validation.

I’m fine with that, since these are all node- locked licenses and I don’t need changes to be updated client-side immediately.

Thanks

Calling ActivateLicense() also initiates the background thread to synchronize at the specified interval. However, if both ActivateLicense() and IsLicenseGenuine() functions are called, they will not initiate separate threads. The total thread count will always remain at 1.