Tagged as W32.AIDetectMalware by vendor Bkav Pro on VirusTotal

KRTirtho / spotube

🎧 Open source Spotify client that doesn't require Premium nor uses Electron! Available for both desktop & mobile!

https://spotube.krtirtho.dev/

Other

29.49k stars 1.21k forks source link

Tagged as W32.AIDetectMalware by vendor Bkav Pro on VirusTotal #673

Open Skyhawk1207 opened 1 year ago

Skyhawk1207 commented 1 year ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

Scanning Spotube-windows-x86_64-setup.exe for version 3.1.1 on Virus total shows mostly clean results except for one vendor Bkav Pro which shows the malware W32.AIDetectMalware.

Expected Behavior

This vendor should not be tagging the app as a malware as it reduces trust in the application.

Steps to reproduce

Downloaded version 3.1.1 for Windows from Website as well as from Github Releases.
Scanned it on VT.

Operating System

Windows 11

Spotube version

3.1.1

Installation source

Website (spotube.netlify.app) or (spotube.krtirtho.dev), GitHub Releases (Binary)

Additional information

No response

KRTirtho commented 1 year ago

The same app binary is published in Microsoft's Official WinGet & Chocolatey package managers. Both of these have super strict virus scanning & human moderators. Also every binary was built & released through GitHub Action Workflows so no doubts there as well

Thus, I think we can conclude this as a false positive. Or there's a chance your system is infected with that malware which infected the executable

meenbeese commented 1 year ago

I can confirm this with the 3.1.1 release for Windows as well. 2 engines (Bkav Pro and MaxSecure) are detecting the program as malware for some reason.

Some IP address contacted by Spotube and dropped files are flagged too. I can't say for sure that signing the program would solve everything but it would surely help.

Check the analysis: www.t.ly/HPqE9

meenbeese commented 1 year ago

Also, duplicate of #613

KRTirtho commented 1 year ago

This is funny as hell. I resolved the domain names for the "flagged" IPs

192.229.211.108 => ocsp.digicert.com 20.99.184.37 => No domain (but directly from Microsoft Azure) 23.216.147.64 => Unresolved but shows it's from Seattle (owned by Akamai) 23.216.147.76 => Same as above 35.186.224.25 => 25.224.186.35.bc.googleusercontent.com

Detected dropped Files: is-LN0V7.tmp => Spotube never creates this file. Probably inno-installer uses it Spotube-windows-x86_64-setup.tmp => This a temp download segment file. It's usually done by segmented file downloaders. It has nothing to do with Spotube at all. Wonder why that would even be flagged

KRTirtho commented 1 year ago

The 80% flagged stuff are things that the sandbox is using to verify Spotube's integrity