We have used TMSCryptography pack to produce a dll for generating and checking salted hashed passwords and it has been in use since July last year. Today out AV software ( and 28 others courtesy of VirusTotal.com) prevent it from loaded reporting that it contains a virus. Our secutiry team is now trying to tell me to remove the offending code but we haven't done much more than call a few functions provided by TMS Crypto. In the short term we have whitelisted the DLL in out own installations, but we have many external customers who might suffer the same problem and who might not be so willing to simpy whitelist our DLL
Has anyone else had a similar problem and if so what did you do to address it?
This happens all the time. It's not only with cryptographic functions, but also with .exe file packers.
And sometimes, it happens even when you don't add or change anything to your program. Sometimes a simple re-compile with a new compiler is enough.
A few years ago, when I actually cared, I used to send submissions to the big antivirus companies to prove that there's nothing wrong with my applications.
These days, I simply don't care. I have neither the time nor patience to chase these people and tell them to get their sh*t together and stop identifying things as viruses unless they really ARE viruses.
As far as what to do with your customers, it's fairly simple. Send them a couple of links which explain how and why virus engines are constantly producing false negatives. And also tell them to use common sense: "We're not in the habit of infecting our customers with viruses. That would be very bad for business."