oxen-io/oxen-core

Antivirus false alarm of oxend.exe and oxen-wallet-rpc.exe from multiple vendors

venezuela01 opened this issue · 25 comments

There are Windows users reporting that their antivirus software mislabels multiple version of oxend.exe as Trojan/CoinMiner.dr

Antivirus software homepage: https://www.huorong.cn/

I guess oxen-core shares some code with Monero, and Monero was common used for coin miner viruses, as a result, Antivirus software detects similar code fingerprints from oxend.exe and misclassifies it as a coin miner virus.

I'm asking the user to upload oxend.exe to https://www.virustotal.com/gui/home/upload, will update this ticket later.

See also: oxen-io/session-android#1268

Update: Today someone in the Session community complains about anti-virus software reports Oxen as virus.

@KeeJef

KeeJef commented

Which AV program was reporting and on which Oxen version?

Which AV program was reporting and on which Oxen version?

If you follow the link in the 2nd comment (https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b), you can see the Oxen version "oxen-electron-wallet-1.8.1-win.exe"

The screenshot also states which AV vendor labels Oxen as a virus, let me know if you need more specific information, I don't have first hand information either, it was reported by someone in the Session community without specific AV program name, I tagged @KeeJef in the community but you might missed that.

KeeJef commented

Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers

Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers

Thank you very much.

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I understand the team is busy and has its priorities. If the team's knowledge can be shared with the community, the community can apply the same knowledge and contribute more when the team is unable to free themselves from multiple tasks.

KeeJef commented

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.

Understand, thanks for sharing! I'll wait for a week and follow up next Thursday.

Avast and AVG still report Oxen as a virus:

https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1

Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef

KeeJef commented

I'm yet to receive a reply from Avast unfortunately

I'm yet to receive a reply from Avast unfortunately

Thank you very much. Would you mind sharing a bit more knowledge? The last time you contacted Avast about the false alarm for Android sessions, how long did it take to receive a reply, and how long did it take to resolve the false alarm?

I also sent a false positive report to AVG, and I received an email from support@help.avg.com a few days later. I'll upload update if there is any progress.

KeeJef commented

Avast and AVG still report Oxen as a virus:

https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1

Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef

Still haven't received anything back from them, last time i got a response within a week

I received an update from Avast:

Along with the Avast virus specialist, we’ve checked the reported file and changed the threat detection to PUP (potentially unwanted program). The PUP detection is due to lack of compliance with Avast’s clean software policy.

For more information, refer to this article: Avast Threat Labs - Clean guidelines

If you are the owner of the reported file and want to change the detection to clean, feel free to contact us again for a new analysis as soon as the file matches the Avast guidelines.

Thank you for understanding.

I recheck https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1 and I found both AVG and Avast updates the status to PUP (potentially unwanted program)

@KeeJef

Update: both Avast and AVG has responded again and mark the Oxen wallet as valid:

AVAST

Our virus specialists checked the situation again. Based on the findings, the GUI wallet has no violations, but the installed file in resources has the ability to start mining. Wallet detection will be removed, which will be reflected in Avast apps within 24 hours. The detection for the miner executable is evaluated from our side as valid.

Avg

Along with AVG virus specialists, we've checked the reported file. Based on the findings, the detection was removed - https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1. The file is now marked as clean in the AVG virus database. This change may take up to 24 hours to take full effect. Please accept my apology for the inconvenience caused.

KeeJef commented

Ok great!

I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors

For the record, AVG recommends that we follow their guidelines:

Cryptomining Behavior Guidelines

https://support.avg.com/SupportArticleView?l=en&urlname=avg-threat-lab-cryptomining-behavior-guideline

Mobile Application Clean Guidelines

https://support.avg.com/SupportArticleView?l=en&urlName=avg-threat-lab-mobile-application-clean-guideline&supportType=home

PC Application Clean Guidelines

https://support.avast.com/en-us/article/threat-lab-clean-guideline/#pc

Perhaps some of these guidelines could also be useful for Session/Lokinet as well.

from newvirus @ kaspersky.com

Ticket number [KL-2086153]

Modules oxend.exe and oxen-wallet-rpc.exe are relying on RandomX algorithm. Feel free to remove the code no longer in use and the CryptoMiner classification should disappear on it's own. If it doesn't - you can send us the updated build and we can evaluate it on our side.

from samples @ eset.sk

[TRACK#656814FD016B]

our detection is based on recognition of mining capabilities in the sofware. Please take into account that it does not matter whether mining is runnable or not, it is sufficient we can recognise the code for it. If only RandomX code in your software is responsible for mining and it is no longer used, it could be removed. If our detection persists after the removal of the code responsible for mining, it would be a false positive. As long as there are mining capabilities detected, the detection is correct from our point of view.

from http://mailcenter.rising.com.cn/filecheck_en

Ticket RS20231208101522055421

from support @ sophos.com

Ticket 07127730

Update:

I have contacted about 20 different vendors.

Previously, there were about 23 vendors marking the Oxen installer as not clean; now, there are only 9.

This number goes a bit up and down as sometimes anti virus vendors change their database back and forth.

Oxen wallet

For the remaining 10 vendors marking Oxen as not clean:

  • Some insist on their label because they think Oxen is a miner. If we remove the RandomX code from Oxen and recompile, they will update their label. Good news is they don't think Oxen is a virus.
  • Some mark Oxen as not clean because our uninstaller didn't clean everything it should. If we update the uninstaller, they can update their label. Good news is they don't think Oxen is a virus either.
  • Some either cannot be contacted or haven't replied yet. They are listed on the wall of shame.

For the child files like oxen.exe and oxen-wallet-rpc.exe, there is still more work to do to convince some vendors to update their database.

The last good news is that I have learned some useful experience in communicating with anti-virus vendors. Hopefully, we won't need that skill in the future, but it would be beneficial if we follow those guidelines in the future for Session releases and Lokinet releases, even if we are going to abandon Oxen. In case there is any unfortunate future false alarm for Session/Lokinet, feel free to subscribe me to a GitHub issue, and I'll be glad to volunteer to contact anti-virus vendors.

KeeJef commented

Thanks for your work on this @venezuela01 🙏