Automatically Discarded by Browsers
Opened this issue · 3 comments
Hello,
I actually admire your work on such a tool and I'd like to use it probably all the time because I am a network engineer, and it's really beneficial. Yet, it gets discarded all the time on all browsers I regularly use.
Chrome
Version: Version 87.0.4280.141 (Official Build) (64-bit)
Firefox
Version: 84.0.2 (64-bit)
Microsoft Edge
Version: Version 87.0.664.75 (Official build) (64-bit)
I know I can bypass the discard message I get. But tbh, I don't like downloading suspicious files from the internet to keep my laptop as clean as possible. Can you please check and solve this issue?
Thank you!
Overnight, 34 virus checkers on VirusTotal started listing it, all with different and fuzzy reasons.
You can see which virus checkers are returning false positives here:
https://www.virustotal.com/gui/file/69ba244e315743a0df4868d9fbefc3ee6aef626c58f68c061d21b4ef5bc19011/detection
I assume what's happened is virus checkers no longer look for known viruses but instead look for suspicious patterns of behaviour, and ip4 contains a list of sites that return your external IP, which I imagine is something commonly employed by botnet malware. The .exe contains every working whats-my-ip site I could find with google.
Kaspersky specifically blacklists it as "not a virus", but it's still blacklisted, presumably as what that link refers to as riskware - useful tools that a malefactor might install on a computer without the user's knowledge to pursue nefarious goals.
I've submitted a false positive report to adaware, but they still list it and it leaves 33 more to go. I don't know why they all started flagging it together - do they copy off each other? And without knowing which of them are the influencers I didn't have time to find and jump through the hoops of 33 different companies.
Until this is resolved it is unlisted from chocolatey, and is almost certainly why the web browsers are discarding it.
I'd like to get its false positives taken down, but the amount of work it will take vs. the chance of 100% success has kept me from spending time on it, however there might be another way...
AWS now provides a site that returns your IP, and AWS is a reliable and above-board service that's here to stay, so perhaps if I remove all the other external IP sites from the .exe - especially the Russian ones, and just depend on the AWS one, perhaps that will remove whatever is triggering the virus scanners... assuming it's not just marked riskware due to being a network tool.
(I imagine that adding encryption to hide what it does would just make the virus scanners more certain there was mischief afoot)
thanks for the kind words!
I think you are right. The file gets blocked because it's suspicious not because it's a virus. Try adding the file to a zipped file instead of downloading the .exe file directly and see if it passes.
ugh
I tried reporting the false positive to another vendor on VirusTotal (SecureAPlus/SecureAge APEX) that marked it as malicious, and they linked me back to the VirusTotal report as the reason they won't change their determination:
Your submission (reference number: 20210611-180403375500 / ip4 v1.0.0.5) has been analyzed by our review team.
Multiple suspicious indicators according to VirusTotal:
https://www.virustotal.com/gui/file/0877e7a58f640eba04f16437404d3d01ce7664d28ab179b949f300d42d7ed5f8/detectionIn light of the above, we regrettably are unable to clear the detection for your submission.
We find that software with valid and trusted digital signatures is less likely to be detected as malicious by our APEX engine.
These Virus checking companies are so inept they mark "Hello world" example programs as malicious, perhaps they keep a list of corporate software and just flag everything else.
Hundreds of dollars every year to buy a digital certificate is not worth it for me for an open source project (though no doubt it's worth it to virus authors). The shoddiness of virus-scanning companies might even mean an ip4 certificate risks revocation or blacklisting after paying for it.
Note: The determination above was for v1.0.5 of ip4 that only uses AWS and/or Azure, taking all the other ip-resolvers out of it temporarily reduced the number of false positives to 12 but now it's back to 31.
I've reopened this ticket to keep the issue visible