[ISSUE] Plug-in is a false-positive as malicious software for some security vendors on VirusTotal

[odorizzioficial]

Hello friend, I saw a video of this PLUGIN on Youtube and I thought it was interesting, but I always check before downloading it..... is it a virus? or a false positive? or did some expert put it up, I thought it was interesting to let you know :/

[FiniteSingularity]

Hi @odorizzioficial -

Thank you for opening the issue. The short of it is, this is a false positive, and I've reported to both SecureAge and Trapmine.

The longer version is as follows: Both the SecureAge and Trapmine check are ML algorithms, and for unknown packages (e.g.- new software like this plugin) use a heuristic approach, where they look for similarities between the new package and known viruses/trojans. Unfortunately, many malicious pieces of code use installers, such as the Inno Setup installer that this plugin uses, and in the case of the stroke/glow/shadow plugin, just the act of wrapping it in an installer makes it "close enough" to trigger the heuristic positive. You'll notice that if you submit the non-installer version either the zip file, or the .dll that is installed, no vendors trigger it as malicious (you'll also notice SecureAge and Trapmine are unable to scan it, as they only support scanning .exe files, which is just the installer).

What I have done to try to fix this- I've reached out to SecureAge and Trapmine both to report a false positive. SecureAge did take it off the list for the prior version, but every time I change the code (e.g.- submit an update) it re-fingerprints the new version as Malicious. Trapmine on the other hand, never even responded. Originally this was causing an issue where on some random machines, Windows Defender was refusing to install the software, and so I purchased an organizational code signing certificate, and have integrated it into the build action here on GitHub.

At this point there isn't much I can do to stop the builds as showing up as false positive with SecureAge and Trapmine, however being heuristic ML algorithms, they are somewhat notorious for causing false positives, specifically for installers (as is the case here). I hope that helps you feel better about the .exe version, and if not, there is the .zip manual install which is not flagged as a false positive.

[odorizzioficial]

I see, thanks a lot for the explanation buddy, but it's good to leave an observation, because many people stop downloading for fear, you know how it is nowadays, but thanks man, it was just to warn you...hug and great plugin

[FiniteSingularity]

No Problem. You are absolutely correct in that people do get nervous with this kind of thing (for good reason). I am going to leave this issue open, and if anyone has any thoughts on how to fix this, please feel free to comment.