The Case of Evil WinMain

 
Source of this image on vtotal                                                  Next day it got worse 

#include <windows.h>

int WINAPI WinMain(HINSTANCE inst,HINSTANCE prev,LPSTR cmd,int show) {
    return 0;
}

EmptyWinMainFalsePositive.zip

Introduction 

One day I noticed in forum of one of my articles strange post from one scared codeproject
member that my sample is blocked from execution by Norton AV and moved to quarantine.
"Hmm that's strange" I said myself.
So I took the sample and posted it to virustotal.com to see what is going on. Now Virustotal.com is one excelent site wich will scan your binary by all possible uptodate Antivirus software and give you back an report about what each av thinks about the file.
And Indeed. The report I got really contained an virus detected by symantec as "suspicious-insight".

Suspicious-insight

Later I found on the web that symantec is using cloud based scanner technology called "Insight". And that this cloud based scanner is driven mainly by heuristics. So I thought

"Ok clearly some part of my code was considered by him as suspicious"

I started building exe with (around 30 lines of code) from this mine article
virustotal result: virus "suspicious-insight".

Let's remove half of the code.
virustotal result: virus "suspicious-insight".

"Hmm strange"

Let's remove remaining half of the code so only empty winmain is left.

virustotal result: virus "suspicious-insight".
BUT now also 9 from 38 AV (as you can see on firs image of article) were now screaming things like "Trojan Downloader"

Update:
After 2 years its 26 from 42 reporting it as trojan so things definitly got worse.
thats like 2/3 of av  now 

"Hmm. What ? Trojan Downloader ? Where did this come from? Wasn't removing all code supposed to remove suspicius in the first place?" 

Update:
Good news is that symantec no longer reports it as  "suspicious-insight" 
Bad news is that now it reports it as  "Backdoor.Trojan" ;D

Update:
After 2 years  nothing changed  still  "Backdoor.Trojan" for symantec  

So what caused 2 thirds of AV vendors to go NUTS ?

I am starting to feel that they simply started to search for malware in libc itself.  If so than that's kinda strange coz there is not that many versions of libc linked to nearly everything under the sun over and over.

Here is the mentioned VS 2008 ProjectFile + source + resulting binary not doing anything along with vtotal results for it.

But please go ahead create EMPTY c++ project to see it yourself.
Add cpp file with this empty winmain doing nothing build release

I found that following switches were making my poor old dsp different from default VS2008 project settings.

Use static libc                                          ( Multi-threaded (/MT) or any other static lib switch)
Disable Whole Program Optimization         ( set to No )
Disable Generate Debug Info                    ( set to No )
Set Randomized Base Address to Default   ( set it to default ) 

And watch that havoc on virustotal.com ;D.

Now those switches were in my project file loong time ago and what they cause is pure coincidence that materialized by poor fella in my forum and started it all . So only god knows what other switch combinations will make  all AV go even more crazy.

Which is kinda suspicious ;D and it seems like all Delphi guys are recently suspicious too. 

Solution ? 

Well. The question now is not what should we remove from sample code but what junk should we add to samples to not be suspicious and blocked by AV that is so paranoid that it would probably treat even it's own binaries as suspicious ;D. 
I am also interested in feedback from you guys.
How much of your small samples/programs are treated like "suspicious-insight" or alike. Just throw it on vtotal.
Anyway. I will append list of Ideas to solve issues like this here as I will find them
along with ideas from forum or av companies if any will react. 

Virustotal history:

EmptyWinmainFalsePos.zip File size: 20009 bytes

MD5   : c516b5f8e194c0f00994178c7db9b717
SHA1  : b187b95bd95ca157e4b75039c19ab1dbd571160a


https://www.virustotal.com/file/fec02ba14a85a04690b5c38a431153749565b018fc17b5e0fb06d36642d0f9a3/analysis/  -> insert  unix timestamp number  mentioned bellow <- /  

1270576549 2010.04.06 17:55:49  9/39 (23.08%)


Aappend unix timestamp number starting each of lines with dates to url above to get working link. Later I stopped sending exe in zip due to some av not catching anything in zip so here is non ziped file history

-[non zipped exe]-----------------------------------------------------------------------------------------

EmptyWinmainFalsePos.exe File size: 37888 bytes

MD5   : 92ccffff01d936f577b17028387dba62
SHA1  : 14c055acf4c8ee62e849affdd601375d613b792d

https://www.virustotal.com/file/fec02ba14a85a04690b5c38a431153749565b018fc17b5e0fb06d36642d0f9a3/analysis/ -> insert  unix timestamp number  mentioned bellow <- / 

1270576274 2010.04.06 17:51:14 10/39 (25.64%)
1270658787 2010.04.07 16:46:27 15/39 (38.46%)
1270668484 2010.04.07 19:28:04 14/39 (35.90%)
1271059131 2010.04.12 07:58:51 17/39 (43.59%)
1271417958 2010.04.16 11:39:18 20/40 (50.00%)
1272215218 2010.04.25 17:06:58 17/39 (43.59%)
1272534527 2010.04.29 09:48:47 19/39 (48.72%)
1273146379 2010.05.06 11:46:19 20/41 (48.78%)
1273946647 2010.05.15 18:04:07 19/41 (46.35%)
1282724966 2010.08.25 08:29:26 23/42 (54.80%)
1346440377 2012.08.31 19:12:57 26/42 (61.90%)
...

Update 2014.06.01:
1401646480 2014.06.01 18:14:40 36/53 (67.92%)