Try to overcome Nexusmods.com’s suspicious file found message

AYasinAkalin / MELE_quickIniEditor

A terminal application allowing users and modders to modify .ini and Coalesced_*.bin files of ME Legendary Edition easily without replacing the whole file; losing possible early modifications in process. (ME3 is not supported)

GNU General Public License v3.0

3 stars 0 forks source link

Try to overcome Nexusmods.com’s suspicious file found message #5

Open AYasinAkalin opened 3 years ago

AYasinAkalin commented 3 years ago

Current builds uploaded to Nexusmods.com are tagged as 'some suspicious files'. This also disables mod downloads until site moderation manually allows it for download after an e-mail.

Since there are no malicious code or insecure dependencies used I've four suspects:

~~Lines calling powershell scripts from cli.bat~~
~~Bundled 7zip extra. It has one .reg file.~~
~~Bundled LECoal's binary file.~~
Shipped .exe ~~since it is not digitally signed.~~

AYasinAkalin commented 3 years ago

Virustotal.com's scan revealed that security vendor Jiangmin detecting Trojan.PSW.Python.cu in quickIniEditor.exe. 62 other security vendors don't report any security issues. So it is a mystery why this is happening.

quickIniEditor.exe is created with python setup.py py2exe command.

There are two other reports [1][2] of the same situation.

AstralStorm commented 1 year ago

Additionally, Windows Defender triggers a machine learning trojan detection if cloud detection is enabled. This is all false positives as some trojans, cryptominers and ransomware used py2exe or PyInstaller for a build.

There are two known ways around it. One is to code sign the executable - not free, the other less reliable is to use a cleanly built PyInstaller (not their executable from site) or use Nuitka which also builds the bootloader from scratch - these will less likely match against the original build and get flagged.