Solve False Malware Detections on Snap Hutao 1.9.8 and Later Versions

[Masterain98]

Background & Motivation

Starting from Snap Hutao 1.9.8, multiple anti-virus platforms detect the MSIX packages as malware. This was unexpected because there was no change in code associated with dangerous features in Snap Hutao. The biggest change in 1.9.8 was the embedded Windows App SDK upgrade. The false detection may also be caused by sensitive operations in older code, such as Registry operations, but the real reason is unknown.

Due to false detections, Google has blocked the download of MSIX assets from the GitHub release page. Removing false detection is important at this phase to avoid unnecessary concern for new users.

Two major false detections are coming from Microsoft Windows Defender and Google Web Security. Microsoft Windows Defender is the default Windows anti-virus program and it deletes Snap Hutao msix package, and also blocks download if user is using Microsoft Edge browser. Google Web Security is the default anti-virus scanner embedded in Google Chrome and Firefox, they share the very most of the browser market.

Detail of the Feature

Timeline of Actions

• 03/12 - version 1.9.8 released
• 03/18 - First report of detected as malware by Windows Defender #1499
• 03/19 - We submitted a incorrect detection report to the Microsft Security Intelligence platform
• 03/19 - Microsft Security Intelligence auto scan reports threat by the cloud engine
• 03/21 - Microsoft replied on the report

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate" Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

Scan results have also been updated; no threat found until today. There is no stop warning if you download the MSIX package from GitHub with the Edge browser. Same situation also apply on version 1.9.9.

• 03/29 - version 1.9.9 released
• 03/30 - received user report that downloading through Firefox is blocked as the MSIX is marked as malware
• 03/31 - Confirmed that Firefox is using Google Web Security engine as the scanner; and Chrome users have the same issue
• 04/01 - Submitted Report a Security Issue form to Google. Because we are not the owner of the github.com domain, we are not allowed to submit a security appeal to Google directly.'
• 04/07 - community#118192'
• 04/16 - Another report on the Windows Defender false detection is reported through #1553; submitted review request to Microsoft, waiting for a response.
• 04/16 6:31 PM PST - Microsoft has confirmed the false detection has been removed

[ronmurphy]

When I downloaded the source code and compiled it, using nuget to grab any missing packages, it compiled easily and Windows Defender did not raise any issues, even after I specifically made Defender scan the newly build exe file. Good work on this app, it is going to replace paimon.moe and a multi-client genshin login manager that I was using, and it is by far the best looking genshin 3rd party utility app I have seen so far.

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related topic.