BitDefender is detecting inchi-1.exe 1.07 as a virus

Question

BitDefender is detecting inchi-1.exe 1.07 as a virus

Opened this issue a month ago · 14 comments

I see this in my BitDefender logs.

On-Access scanning has detected a threat. The file has been deleted.C:\Dev\Mike***\Inchi\Inchi\inchi-1.exe is malware of type Gen:Variant.Lazy.591568

Please fix this

inchi-1.exe
InChI version 1, Software v. 1.07 (inchi-1 executable)
Windows 64-bit Build (MS VS 2017 or later) of Jul 16 2024 16:25:04

Answer 1 · 2024-09-02T09:44:04.000Z

Scan results from VirusTotal show 7 detections.

https://www.virustotal.com/gui/file/4e982de3a389de021507137876aa3f4446ddd22c0af680c719103e2359f3e685?nocache=1

Answer 2 · 2024-09-02T10:14:12.000Z

Same results for 1.07.1
https://www.virustotal.com/gui/file/18fd96115674fec180a858127c7093ec6fb8a9345b62eb69d352be9fe572cd4d?nocache=1

Answer 3 · 2024-09-10T11:13:46.000Z

I think it's safe to say this is a false positive, maybe open a report to Bitdefender?

Answer 4 · 2024-09-10T11:17:31.000Z

I agree that it's most likely a false posative, but it is also flagged by other engines too.

Answer 5 · 2024-09-10T11:18:49.000Z

Besides which it is not my place to report this, it should be done by the Inchi Trust

Answer 6 · 2024-09-11T09:06:28.000Z

I got a smiliar warning using G Data on Windows (sorry for the german):
Virus: Gen:Variant.Lazy.591568 (Engine A)
Datei: inchi-1.exe
Verzeichnis: [...]\InChI\INCHI-1-BIN\windows\64bit

Answer 7 · 2024-09-11T13:24:23.000Z

@JanCBrammer can you confirm the released binary files are built in a github workflow and not in any personal PC that may be compromised?

Answer 8 · 2024-09-11T13:26:28.000Z

The binarys I used were downloaded from the release folder https://github.com/IUPAC-InChI/InChI/releases/download/v1.07.1/INCHI-1-BIN.zip

Answer 9 · 2024-09-11T13:28:18.000Z

And this for the 1.07 binaries @giallu @JanCBrammer

https://github.com/IUPAC-InChI/InChI/releases/download/v1.07.0/INCHI-1-BIN.zip

Answer 10 · 2024-09-17T06:25:36.000Z

can you confirm the released binary files are built in a github workflow and not in any personal PC that may be compromised?

@giallu, the binaries under https://github.com/IUPAC-InChI/InChI/releases/download/ aren't built on GitHub runners. See #1.

As far a I know, currently, @djb-rwth, is building them on his machine.

Answer 11 · 2024-09-17T07:05:25.000Z

Ok. I still think this is likely a false positive (otherwise more engines would mark the binaries as infected) but it make sense to start building them in the github enviroment so we can be pretty sure about it.

For my part, I can add to the cmake branch a package target that bundles the artifacts together and makes them available

Answer 12 · 2024-09-18T08:29:50.000Z

I think it would be a good idea to (code) sign all the binary files exe and dll in the release as that should help apease the AV vendors.

Answer 13 · 2024-09-19T06:30:18.000Z

I've uploaded the .exe to G Data, they accepted and whitelisted it.

Answer 14 · 2024-09-21T11:05:29.000Z

Hi all,
Thanks @fbaensch-beilstein for confirming my suspicions that this is a false positive.

This does not seem to be an isolated case in which BitDefender detected Gen:Variant.Lazy.591568 falsely -- please refer to the following hyperlinks: hl1, hl2 or hl3.

Almost all AV software tends to be over-protective in cases of .exe files as malware and spyware most frequently sneak them within the OS.

Just recently, even the basic Windows Security falsely detected PUABundler:Win32/Rostpay within a MyConsoleApplication.exe which contained a compiled Hello world program and PUA:Win32/Presenoker inside GCC 14.1 for MS Windows installation files.

In line with @MikeWilliams-UK suggestion, all binaries will be digitally signed from now on and we shall see if that works.

I would like to encourage the users who encounter this sort of problem to submit the file(s) to the AV software HQs for further analyses/whitelisting, just like @fbaensch-beilstein did.