I have a program that my company has been using for more than 10 years. Recently an antivirus vendor began flagging the file as malware. The vendor says that it is injecting itself into a Dr. Watson process. I scanned it with VirusTotal. All 55 engines say there is no malware, but the "behavioral information" tab shows that the program opens Dr. Watson and injects itself into the process.
There is no code in the delphi program to invoke Dr. Watson. Has anyone seen this before with Delphi ? Any idea how to stop this behavior ?
Unhandled exceptions that even get through the default handlers Delphi provides (and Delphi 5 provides less than more recent versions) get handled by Windows, and in some cases this may have Windows start DrWatson by default to create and write a kernel dump.
Start DrWatson yourself to see in which folder it keeps these files. Have a close look at them as they are designed to keep track of the position in the compiled logic where the process got into trouble.
If you find out more there about what was running at the moment DrWatson is called, or by adding some logging by yourself, try having more exception handling in that bit of code and catch the exceptions early to handle them appropriately, so Windows won't decide to halt your process.