LabVIEW Executable Fails Virus Scan

Updated Nov 2, 2023

Reported In

Software

LabVIEW
LabVIEW Application Builder Module

Other

File Checksum Integrity Verifier (FCIV).

Issue Details

I've distributed a LabVIEW built executable that fails a virus scan. Why does this happen?
I'm sharing a LabVIEW installer that also distributes an executable. When I scan it with my anti-virus software, high risk files are identified. What could be causing this?

Solution

Modern anti-virus software is capable of flagging files and software as malicious based on generalised rules formed from known malware. This is done by blacklisting technology that relies on binary pattern matching.

To verify whether the files are high-risk or malicious, check the following:

1. Obtain a virus scan report from your anti-virus software.

This will identify the name and type of file that was deemed high risk.

2. Attempt to remove or quarantine the malicious file(s).
3. If the file can be located on the PC, confirm whether it has a digital signature.

Files created by NI will be digitally signed by "National Instruments Corporation" as shown in the image below.

Note: Do not assume that the digital signature has not been forged by malicious software. Instead, use this as an indicator that the file is unlikely to have been tampered with.

National Instruments Digital Signature.png

4. Obtain the File Checksum Integrity Verifier (FCIV) tool from Microsoft™.

This tool is capable of calculating the MD5 checksums.

5. Using the FCIV tool, calculate the checksum of the flagged binary (instructions can be found on Microsoft's website).

Ni ships MD5 checksums for all files within each distribution.
NI's checksums can be found in the root level of the software's installer, or the bin subdirectory. The files are called dist_md5*xml or suite_md5*xml depending on the suite or distribution.

6.Verify whether the binary matches NI's checksums.

If the binary does not match, the file is likely to be infected.
If the binary matches, the anti-virus flag is likely to be a false positive.

Additional Information

NI files and binaries may be flagged as malicious because:

The binary has malicious code that wasn't known to the anti-virus software at the time.
- This is unlikely because NI scans it's binaries during the release process.
Malicious code has altered the NI binary.
- This is also unlikely due to the complex nature of forging and modifying binaries.
The anti-virus product has found a bit pattern in the NI binary that matches a bit pattern in known malicious code.
- This is the most likely scenario.

Other Support Options

Ask the NI Community

Collaborate with other users in our discussion forums

Search the NI Community for a solution

Request Support from an Engineer

A valid service agreement or active software subscription may be required, and support options vary by country.

Open a service request

Learn about software subscriptions and services

Learn about hardware service programs