False positive: Win64:Evo-gen [Trj] found if using C++ function std::abort()

  • Install Microsoft Visual Studio 2022 (64-bit) v17.10.0.
  • Create a new Console App.
  • Replace the contents of ConsoleApplication1.cpp with the code given below.
  • Create a Release build.
  • ⇒ When build finishes, Win64:Evo-gen [Trj] is reported, which is a false positive. The program obviously is not a Trojan.

#include <cstdlib>

int main() {
    std::abort();
}

https://i.imgur.com/lrUu09P.png

Windows 11 Pro 23H2 22631.3593.
Avast Free Antivirus 24.4.6112 (build 24.4.9067.836)


UPDATE: They fixed the false positive "shortly after" I posted this (see [url=https://forum.avast.com/index.php?topic=327569.msg1719349#msg1719349]igor's message[/url]). They just didn't tell. They usually don't tell (see [url=https://forum.avast.com/index.php?topic=327569.msg1719400#msg1719400]DavidR's message[/url]).

Nobody is even interested at Avast Software s.r.o.
I guess fixing this will last them ~6 months. Here is a counter, that shows how many months passed since I reported the bug.

For the most part the majority of people who help are other Avast Users.

the -Gen at the end of the threat blocked is short for Generic which may possible be a false positive.

What other ‘More Options’ were given in the Alert Window ?
The usual options, could be Ignore/add an exception among others.
The see details option isn’t in your screenshot, it may or may not have useful information.

Should you opt to send it to Quarantine, from there you cab send it to Avast for analysis.

Since you don’t say how you reported this, it is somewhat difficult to suggest other possible options (as in the line above).

The detection was disabled shortly after you posted the message.

Thanks for the clarification Igor.

@igor: Indeed, I cannot reproduce the false positive any more. Thank you!
The only thing I would like to add is, next time please don’t just fix it, but fix it and tell me, you fixed it.

@DavidR: Thanks for your contribution too. I will look at the “More Options” next time.
I didn’t need to send anything for analysis, as I have posted the source code here. This is better for developers, than analyzing a binary.
How I reported this: I have posted it here, in this very thread.

  1. Avast no longer send out replies to false positive reports - something I disagree with. Whilst there might be many such reports, if someone takes the time to report it it would be very nice to give a response.

  2. You’re welcome.
    Unfortunately the code to your detection is unique to your detection, someone else getting an alert on the same site would have a different code.
    So for most volunteers in the Avast Forum, the Avast alert code is meaningless.

I didn’t give you an “Avast alert code”.

my apologies, I read ‘source code’ as the unique code that you had obscured in your image.

Note: When posting a screenshot of an Avast warning pop-up, it is always best to click “See Details” on the pop-up and include that information in your screenshot.

@DavidR: I see. We misunderstood each other. Source code means the C++ code I posted in a `[nobbc]

...

[/nobbc]block. Programmers use the term [i]code[/i] and [i]coding[/i] (i.e. writing code) very often. Hence the name of thecode` block.

Thanks for the clarification.

It is a very long time ago that I did any real programming 1993 (the year I left the services) and that was as a military Systems Analyst Programmer and that was mostly using using Oracle 4GL - though I also had to do a Cobol language course (long forgotten having not maintained currency). So nothing PC wise really and no C++.

So looking again at your original post, it wasn’t the actual Microsoft Visual Studio program, but the output file.
I only wonder if it is what that seeks to do that Avast didn’t like. Thankfully it has been resolved.