Marked as malware by anti malware (false positive) #131
Comments
|
Yea each freaking update keeps having false positives #124 it started happening after I added an extension that made so I don't have to also ship dll files. They are inside the executable instead. Feels like this is going to keep happen I might have to remove this and readd all the dll files |
|
Interesting, I went back to 1.15.1 because it was not being false detected. I wonder why some people get detections on certain versions but others don't. I also never got a detection on 1.15.0 as listed in that posted. |
|
No both 1.15.1 and 1.15.0 were also false positives |
|
How about having CI to get VirusTotal results on release? |
|
Well would that help that defender keeps flagging it positive? |
Strange, they aren't flagged on my system. I just re-scanned them both specifically and Defender didn't make a peep. |
|
Well they were on release |
same here. only latest update gets detected |
|
Same issue with 1.15.3 |
@ElPumpo Probably not, BUT it would hopefully stop people from opening issues about false positives when they can click to see the scan results. Maybe consider using their |
|
Interesting. I will take a look into this and implement some auto upload thing |
|
Possibly fixed with new .NET single file thing. |
|
Hi and happy new years. I have migrated from .NET Framework to .NET now which has a "Produce single file" feature. I am just guessing that it will solve the false positives that Costura.Fody previously introduced. TinyNvidiaUpdateChecker 1.15.5 beta 1.zip Please try this new version out I am thankful for the feedback |
Hmm, it just flashes momentarily on the screen and then is gone for me. |
|
Yea this beta requires .NET Runtime 7. Try running the tool in a command prompt such as CMD to see the error |
|
I installed 7.0.1 .NET Runtime and still just a flash pops up. I can't get the app to run in CMD or Powershell either, it doesn't like it. |
|
Yes but did you install both x86 and amd64 Runtime? |
|
Ummm no, you didn't mention that XD. Do you mean x86 and x64? I installed x64. Are you sure you don't mean the full SDK? Now it's freaking out about framework, which runtime doesn't come with hahahaha Best to link to the exact installer you think I should run, since we are having some miscommunication here. |
|
No dont install the SDK just the runtime I belive haha. I will probably publish framework independent.. Yes install both x64 and x86. The tool is built for x86 but you prob need both |
I tried that, but it still doesn't run. Like I said, it then mentions a missing framework. |
|
Okay yea I messed up there. Will release a new beta that is framework independent. But no false positives right? |
|
No, no false positives! :) |
|
Good! |
|
I got it to run by installing the full SDK, which includes 3 runtimes (.NET Runtime 7.0.1, ASP.NET Core Runtime 7.0.1 and .NET Desktop Runtime 7.0.1), although the one it seemed to actually want was the ASP.NET Core and not the .NET Runtime. I just installed only .NET SDK x86 version 7.0.1, so no need for the x64 currently. |
|
🙏😂 good. I will see about releasing framework independent. Good thing this beta was shared so this wouldnt appear later |
|
Good but I belive this issue now can be closed as it no longer is an issue. |
|
Still an issue... |
|
This is now being flagged for v1.16.3 too. |
|
Can you show me |
|
|
@ElPumpo maybe some of this will be clues to why the false positive triggers: https://www.hybrid-analysis.com/sample/9024318d65a28d5c244a4022ae3e16bbde26eb762ba14942021d27f15f7f49eb/63dab89d34fe65742f11fbfd |
|
Thanks for the website I did not know it existed! So my commented code With the credits for the github gists is the cause of all of this?! Lol |
|
Well if that's really the cause here, we can blame a bad YARA rule, and that would be a really stupid thing to trigger it. There are lots of sites for malware analysis, but not many free ones, especially that tell you exactly which rulesets trigger, instead of just a heuristic signature. H-A is one of the better ones in my opinion. Any.run is a good competitor, but only really decent to get a quick look at what malware is dropping and contacting, unless you pay. |
|
Okay cool. I sent a new version I built without that gist url for analysis I'll post the results when they are in |
|
accually its the nvidia-data metadata URL being flagged. But I can replace the URL with
I have now built and uploaded for analysis. Let's wait and see the results. Because I belive this issue came when I added the metadata repo.. UPDATE: Here's analysis for v1.16.4 |
ElPumpo
changed the title
|
It's still showing some false positives, but it's gone from 20% detection rate to 7%, wonderful! |
|
Yes the MetaDefender still is at 7%. I have contacted both Bitdefender and Emsisoft about this to resolve the false positive. |
|
Defender just flagged 1.16.4 for me. That's the first time any release has been flagged on this Win 11 machine, and I know I've installed versions 1.15.4, 1.16.1 and 1.16.3 without incident (and probably a few more, but those are the binaries I still have on hand).
|
|
The analysis for v1.16.4 is marked as clean "Anti virus results" by Hybrid Analysis
But still Falcon sandbox reports reports 1 virus indicator..
Which makes no sense at all! |
|
I just tried downloading 1.16.4 again, via the prompt from 1.16.3, and this time it downloaded and installed without triggering Defender. 🎉 |
|
@ElPumpo that is telling you that it's not triggering directly, but that other AV engines still flagged it. If it sees even false positives, it will warn on it, just in case. It's better to be overzealous with scanning and warning when you're trying to hunt elusive malware. |
|
Ah okay but totally obfuscated code is not marked as malware by these sites? So if I just obfuscate it all then silly problem solved So weird |
|
Usually the obfuscation is picked up itself, and adds HUGE bulk to the program, but yeah that's the nature of hunting malware ._. |
|
Let's see if v1.16.5 will have the same issue still... https://www.virustotal.com/gui/file/7ddd1e5ccdbaca211e3f894c0ad250ec36dce80dc547a63f426da3a3e0db3a46 |
|
Perhaps the simple thing that the file is not signed is causing all of this? But I belive signing exe costs money right? |
|
Closing due to no activity |
As per the title, the latest update is being flagged by Window Defender as a severe trojan. The previous version (1.15.1) was not flagged, and no previous version has either.
You may want to look into this and change whatever you did that made it start to flag on this version only.
Win32/Bearfoos.B!ml
The text was updated successfully, but these errors were encountered: