Submit false positives to antivirus vendors

[az0]

I saw in past issues (e.g., #140 ) that people reported that the software is flagged by antivirus software, and that this is reasonable estimate based on the heuristic of a keylogger.

The latest Windows zip is flagged by 9 scanners.

Would you please consider contacting the vendors to whitelist it? There is a contact list on techsupportalert and another list is available if you email VirusTotal.

[ErikBjare]

I don't think this needs to be done by the maintainers ourselves, so please feel free to do so on your own! :slightly_smiling_face:

[1000i100]

Positive vote to send : activitywatch-v0.7.1-windows-x86_64.zip aw-server.exe aw-qt.exe aw-watcher-window.exe aw-watcher-afk.exe

[pcuci]

Well this is annoying :-) - it's happening on the 0.8.3 version, and so can't install the latest version of AW at work...

[johan-bjareholt]

@pcuci Please submit a false positive to Microsoft about that, we can't do anything else about it than that as Windows doesn't provide any safe APIs for us to use.

[pcuci]

For what it's worth, the admin team at work managed to add an exception, then asked me to execute the following steps to clear the antivirus cache and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to C:\Program Files\Windows Defender
2. Run MpCmdRun.exe -removedefinitions -dynamicsignatures
3. Run MpCmdRun.exe -SignatureUpdate

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions. I don't know if these new malware definitions later go upstream to Microsoft, it may very well be the case, or not.

Hope this encourages others to negotiate with their IT/network/security teams :-)

[johan-bjareholt]

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions.

The only annoying thing is that if you ever update ActivityWatch you will likely have to go through the same procedure again.

[ErikBjare]

A more long-term solution might be to code-sign the releases (#666), or simply put it up on the Windows store.

[wasinix]

I am not able to run release 0.8.4 on my office pc McAffee Endpoint Security is declaring ActivityWatch as Ransomware and blocking processes and partially deleting files (aw-watcher-afk.exe)

Found several entries in eventlog from McAffee, including details, what he thinks is evil, but as the log are in german, I dont know if posting them here makes sense.

[ErikBjare]

Apparently AlternativeTo now shows a malware warning for ActivityWatch (reported in #493). Not sure what we can do about that.

However, someone dropped this link on the AlternativeTo page which gives a lot of nice details about why it's considered suspicious: https://www.hybrid-analysis.com/sample/beb047cb7583df66301493c613afe0d7bf6c62b5445eb38797b6fcf38d239afe/5e7cd780c49eaf4be46cde62

But alas, it only confirms what we already knew: it's all guesswork.

Edit: I've submitted the false positives to AVG and AegisLab (as per this VirusTotal report). We'll see if that does anything.

Edit 2: According to that hybrid-analysis report, apparently the presence of @julian's email is considered suspicious, lol.

Edit 3: I emailed AlternativeTo, we'll see what they reply.

[Julian]

Suspicious indeed.

[ErikBjare]

AlternativeTo replied to my email and have removed the warning. Thanks @timharek for reporting!

[rakleed]

I scanned all the files on VirusTotal and then reported false positives to anti-virus vendors for several months. As a result, most vendors have responded and fixed the issues, but some just haven't answered. The results can be viewed here: GitHub Gist - activitywatch_virustotal and backup link (although I haven't updated them for the last few weeks).

I tried to contact vendors using information from this repository (I also updated some data in it myself).

I also tried to solve the problem through VirusTotal support, but they helped at first, and then they began to ignore my requests.

But you can also try to contact them, perhaps due to the large number of complaints, they will still correct false positives.

[nck974]

Hello I was using version v0.10 and tried to update to v0.11 and I get the following in firefox:

[tbertels]

https://virusscan.jotti.org/en-US/filescanjob/clmvm45bbb

But still banned in Firefox and Chrome.

Based on https://developers.google.com/search/docs/advanced/security/malware it seems that the developer has to follow this procedure (Security Issues report): https://support.google.com/webmasters/answer/9044101

[MaxJW]

Similar issue found again for v0.12.2, was about to create a ticket but saw this! Is there a procedure for resolving this now?

[rakleed]

@MaxJW https://www.microsoft.com/en-us/wdsi/filesubmission

[ErikBjare]

@rakleed Thanks for linking, I just submitted v0.12.2

[rdggithub]

Avast flags v0.12.3b15

[J05HM0N5TER]

Windows defender, activity watch version v0.13.0. Was detected as Trojan:Script/Wacatac.B!ml, specificly the aw-qt.exe file. It was triggered during the install/update process, and was removed.

[john30]

Windows defender, activity watch version v0.13.0. Was detected as Trojan:Script/Wacatac.B!ml, specificly the aw-qt.exe file. It was triggered during the install/update process, and was removed.

same here. is there something suspicious in the https://github.com/ActivityWatch/aw-qt ? didn't find something obious in the commits since v0.12.2 though, only updates to PyQt6 6.5.3 and pyinstaller 6.6 might be candidates I'd say

[ErikBjare]

trojan:Script/Wacatac.B!ml is a machine-learning guided rule (the !ml suffix) and commonly a false positive: https://superuser.com/a/1830913/247123

[ErikBjare]

I've submitted the v0.13.1 release to Microsoft as a false positive for Windows Defender.

Update 2024-06-18: The submission is still in progress after 8 days. Someone on the Discord mentioned MalwareBytes also complains. We should really start codesigning binaries on Windows, as I think that'd reduce the rate of these false positives from heuristics.

Update 2024-07-01: The submission is still in progress after 20+ days. "Submission details are retained for 30 days", so not sure that we'll get any confirmation/closure.

Update 2024-07-10: The submission has now expired and is no longer available...

[lyc8503]

Usually code-signing can suppress these false positives from Machine learning rules.

However #632 is not resolved till now, and the releases I got from scoop are still unsigned and flagged as malware (10/79 on VirusTotal)

@ErikBjare Are there still plans to purchase certificates? If so, I'm guessing all we're missing is a CI configuration for code signing. Maybe I can issue a PR to complete the CI on GitHub Actions.

[ErikBjare]

@lyc8503 I will happily buy the cert if you or anyone else set up the necessary CI.

But please do set it up self-signed before I pay for the cert, a couple people have previously offered/attempted but churned on the task :)

[lyc8503]

But please do set it up self-signed before I pay for the cert, a couple people have previously offered/attempted but churned on the task :)

You're right, there's no guarantee I can get this done, but I'll give it a try next week when I have time!

[lyc8503]

@ErikBjare Just made an attempt to sign the executables in PR #1092. Hopefully someone can test it, it looks like there are some other issues with the build process on the master branch right now.