I while back I had a spate of false positive detections of Trojan.MDropper by Auto Detect. Auto Detect fixed 'the problem' by deleting intermediate files created during a software build from Microsoft Visual Studio 2005. However, a full scan found nothing. Symantec tech support found nothing either and put it down to MS Visual Studio creating a host of temporary (a typical virus signature) files in:
C:\DOCUME~1\John\LOCALS~1\Temp\
Needless to say I couldn't build the software for a while. We eventually removed the temp folder from Auto Detect scanning, which I think is not very safe really.
The problem has however returned but this time I tracked it down to a compilation (not linking) of a few lines of source code. The really interesting thing is that this piece of code is part of an anti-hack guard in my software aimed at detecting hacker tools, specifically in this case their favoured debugger and exe fiddler, OllyDbg.
Although scanning finds nothing I now suspect that this is NOT a false positive after all, but that the intermediate file is being infected, perhaps beningly, or labelled as infected so forcing Auto Detetct to delete it and prevent building my anti-hack. Maybe it's a subtle attempt to encourage the removal of anti-hack guards.
It's a clever ploy if so.
Maybe I'm just being paranoid here, but, as they say, "Just because you're paranoid, doesn't mean to say that they're not out to get you".
Has anybody, ever heard of such a subtle 'denial of build' attack? And how on earth do I get rid of it if full scans find nothing?
Many thanks for your thoughts.
John Rye