# "Why is the program flagged by antivirus?"

<figure><img src="/files/lyRCyqOHyuPV84AXaxK6" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
Why is the antivirus blocking the program?
{% endhint %}

This is a false positive. Any high-quality private software designed to bypass anti-cheats uses techniques that antiviruses flag as suspicious - simply because these are the same techniques used by actual malware.

An antivirus alert is a sign that the software is operating at a low system level. This is a necessary requirement for bypassing modern anti-cheats.

{% hint style="warning" %}
Is a cheat that doesn't trigger an antivirus detection better?
{% endhint %}

No. Private software that doesn't trigger an antivirus either lacks necessary low-level operations (likely failing against serious anti-cheats) or is already in the anti-cheat's signature database.

{% hint style="warning" %}
Is 40/72 detections on VirusTotal normal?
{% endhint %}

Yes, this is absolutely normal. Look at the names of the detections:

* `W64/Themida.WN`
* `Win64/Packed.Themida.Q`
* `Suspicious App`
* `Generic.Packed`
* `Unsafe`

These are not detections of a specific virus - they are detections of the Themida protector used to shield the code. Themida is a legal, commercial software used to protect programs from reverse engineering. Antiviruses detect the fact that the file is packed, rather than any malicious code inside.

{% hint style="warning" %}
But isn't 40 detections a lot?
{% endhint %}

The paradox is that actual viruses usually have 0–5 detections on VirusTotal, not 40.

Why? Because malware developers:

* Specifically test their files on VT before distribution.
* Use private cryptors tailored to bypass detections.
* Constantly re-crypt files as soon as detections appear.

We, however, use Themida - a public commercial protector known to all antivirus engines. We don't need to hide from antiviruses; we need to protect the code from analysis by anti-cheats. These are different tasks.

**Conclusion**: A high detection count on VT with labels like "Themida/Packed/Suspicious" is actually a sign of legitimate protected software, not a virus.

{% hint style="success" %}
Antivirus detections are a side effect of the technologies required to operate at the kernel level. This is not a bug, but a feature of any serious private software.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://unicore-3.gitbook.io/instruction-en/faq/why-is-the-program-flagged-by-antivirus.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.