Virus Scan

Question

Virus Scan

FlawlessCasual17 opened this issue 3 years ago · 7 comments

I just want to ask, why does your program have 17 positive checks in virus total, 3 positive checks in MetaDefender, and 2 positive checks in Jotti's malware scan?

https://www.virustotal.com/gui/file/f96d382761bdf2864691cddbcbef2a934353965e09979b0c732774e8add2b12c?nocache=1
https://metadefender.opswat.com/results/file/bzIyMDYwOGZUdXRrdmRFLXdObUs1VHRMUlU/regular/overview
https://virusscan.jotti.org/en-US/filescanjob/t2m90mzrn4

Could you please explain why?

Answer 1 · 2022-06-09T03:54:16.000Z

Yes, I put a comment about this in the latest release.
When I was initially told this I even checked for the small possibility that the release download was somehow hijacked and a malicious payload was injected into it. There was of course none.

I don't know what triggers those. It's probably badly constructed, unsubstantiated heuristic rules.
Probably some combination of the fact that:
A) Has a administrator required manifest (needs admin to do the folder setting).
B) The code size is very small.
C) Creates a registry entry under "HKEY_CLASSES_ROOT\Directory\shell"
D) Maybe "SHGetSetFolderCustomSettings" or some other API usage pattern that some malware uses.

There is not a single thing malicious in it whatsoever.

Frankly those malware engines that are giving my little utility false positives are garbage.
It's okay for them to say suspect something is malicious via heuristic, hardcoded signatures, triggers from running through a badly trained NN/ML, etc., but then not okay to report as malware without verification or actual proof.
At least a "W32/PossibleThreat" report is somewhat palatable.

The better, more robust engines will verify what they suspect via some type of emulator (either locally or cloud based) first.
Thus why the ones that report false positives are garbage and they actually do more damage than good.

Get Visual Studio Community version and just build it yourself. The code is very simple, you can see what it does.

Answer 2 · 2022-06-09T03:55:45.000Z

Oh ok. Thank you for clarifying, have a good day.

Answer 3 · 2022-06-09T03:59:09.000Z

You too. And I probably sound a little bit more angry than I am, but I like filling in the details..

Answer 4 · 2022-06-09T04:00:10.000Z

It's okay. I didn't take it personally.

Answer 5 · 2022-06-09T04:01:29.000Z

I'll keep it open so others can see the info, thanks.

Answer 6 · 2022-09-23T08:27:40.000Z

Out of curiosity, checked and with the 1.2.0 release and it appears to get a lot less malware hits.

https://www.virustotal.com/gui/file/cfd7fc64f9cb2f99b12e7f600bab15b0a77a8f3effcad5c6844cb73003bfdebd
https://virusscan.jotti.org/en-US/filescanjob/m286sbk5su

Answer 7 · 2022-09-23T15:59:33.000Z

Nice. Good Job.