"Use DLL Runtime" triggers Antivirus

Realized through trial and error what caused my plugin to be flagged as virus by Bitdefender (and immediately deleted). Got some user complaints because it was unusable with this overprotective Antivirus turned on.

Turns out that it makes a difference whether you select “Use static runtime” or “Use DLL runtime” as “Runtime Library” in the Projucer. I switched to static runtime now to not trigger the Antivirus anymore. Is there any knowledge around as to why this happens? Had a look at these articles (1) (2) but would it not be best to have the static runtime as the default?

1 Like

Not sure why using a DLL runtime should triggering antivirus-software. But static is nowadays a good choice I think.
Keep in mind, it could also be coincidence. So you recompiled the plugin, it has difference hash, and for some reason (maybe cloud based behaviour detection) the antivirus does not alarm anymore.
I think best practice is to contact the vendor of the antivirus software, they often have a webpage where you can upload files, if you think they cause a false-positive detection.

Tip: always check your plugins with https://www.virustotal.com/gui/home/upload before sending it out to your customers.


Thanks alot for the fast reply! I also think it makes no sense but it is reproducible that whenever I change the runtime it triggers the Bitdefender and it moves it directly to quarantine.

Previously also checked my plugins with Virustotal but for some weird reason it does not trigger in the sandbox.

For me, the problem is resolved with the static runtime. Hope it helps someone else to not waste as much time on this as me :slight_smile:

Same problem here, hapens since 10 days approximately. I think it’s a Major issue, but we already use “Static Runtime” …
Mine is categorized as Gen:Variant.Tedy.321545 by Bitdefender.
Any idea how to investigate that?

It feels like what Bitdefender is doing is quite arbitrary. The way I went about it was compiling an old version of my plugin that I knew was not flagged and then basically did a binary search on my git commits to see when it started to be flagged to find what bitdefender deemed suspicious. (works fairly fast because bitdefender moves “suspicious” plugins directly to quarantine after compiling)
I assume you could also contact bitdefender to get your false positive removed, but I guess than you would have to do that every time you change something on your plugin.