Windows 10 built in virus detection flagged it as Trojan:Win32/Zpevdo.B

[GrandizerGo]

At about 2230 last night I received a virus warning and WIndows 10 flagged the executable as a virus with Trojan:Win32/Zpevdo.B as the source. It quarantined both the program and the shortcut.

[skykiing]

Virustotal throws 16/57 FWIW https://i.imgur.com/tuI11ul.png

[eragon9896]

Can confirm. Also happened on my machine.

[Cvnvr]

Yup, just got Trojan warning after trying to run the .exe on latest version

[iratekalypso]

https://github.com/MalloyDelacroix/DownloaderForReddit/compare/v3.10.2-beta...v3.10.3-beta Uncertain why these changes would trigger what I am assuming is the false positive.

[iratekalypso]

Also, it is now being flagged as Trojan:Win32/Wacatac.B!ml

[daephx]

My windows defender: Program:Win32/Wacapew.C!ml

[GrandizerGo]

Obviously this program is making someone mad, it got flagged as another new virus. This makes 6 different viruses on my system alone, all from Windows Defender, Malwarebytes has not seen it. It keeps getting deleted each time. So unless the program is mutating like a variant, something is up. Can the owner / maker contact Microsoft and complain about the program being flagged erroneously?

[zacker150]

Hello, everyone.

I can shed some light on the situation. Currently, DFR is packaged using the pyinstaller. Unfortunately, pyinstaller seems to have some issues with antivirus false positives.

I will try to implement this workaround to resolve the issue.

[zacker150]

In the meantime, I've submitted the latest build to Microsoft as a false positive.

[zacker150]

Update: I attempted the workaround, but several antivirus vendors are still flagging it as malicious.

[OrpheusXx]

When using Firefox to download the release from github, it warns me that it could be a malicious program.

[zacker150]

Unfortunately, Microsoft has decided that the detection is correct.

[Prometheia]

Has this issue been resolved? Or is it unresolvable?

[MalloyDelacroix]

Can someone who has experienced this issue confirm if this is still an issue as of the newest version? My machine is not reporting the new executable as a virus.

[Prometheia]

The latest version (3.12.0-beta) seems to resolve this issue. Thank you!

[Prometheia]

Nevermind, it's still being flagged and removed by Windows Defender. It was working earlier today. WD must have scanned shortly after I tested the downloader and flagged it for removal.

[thany]

Let's be advocate of the devil for a bit: Perhaps it isn't a false positive. If pyinstaller is the problem, it's possible that it truly does contain a virus, since it is essentially a third-party program and you cannot know with 100% certainty. I wouldn't trust it if I wasn't absolutely genuinely 100% positively sure that I had solid proof that it isn't a virus. If even a slightly popular installer had such a problem, it would have been solved by now. So I choose not to trust it.

And it goes without saying that if with a virus warning popping up, you're not only keeping users from installing the program, you're keeping (some) users from ever installing the program again in the future. All the more reason to put some priority behind this issue. It's literally blocking (highest possible) priority, which in my line of work means "you don't work on anything else until this is fixed" - might be different in other teams though.

Moreover, keeping this program in beta because of that, basically means a "stable" release is blocked by a third party tool, which is far from ideal. You can easily make a stable release without an installer.

Switching to a different installer might help. MSI is quite popular, and reasonably powerful. There are others though, take a pick.

[zacker150]

I did some digging, and it appears that the .[Letter]!ml suffix means that it's a detection from Microsoft's machine learning based heuristics. More generally, it appears that the detections are due to various AV vendor's heuristics.

I bumped the Python version used to build to 3.8 in PR #250 and that seems to satisfy all but Microsoft. One submission later, and the detection has been removed.

Unfortunately, I have no idea whether this will remain solved. The only real long-term solution is to get a code-signing cert and sign our builds, as AV heuristics are far more trusting of signed code.

[thany]

As for certificates, Let's Encrypt has free certificates, but I'm not sure if they are valid for signing code.

Just thought I'd mention it. Might be worth a look.

[zacker150]

Let's Encrypt only provides SSL certificates. We cannot use them for code signing.

SignPath currently provides free certificates for open source projects. I reached out to them, and this was their response.

Hi Victor,

thanks for reaching out to us and your interest in our OSS offer. Generally, your project is eligible for a subscription. Please refer to our terms for more details: https://github.com/SignPath/Website-old/blob/v2/src/drafts/oss_policy.md

We provide a free code signing certificate (issued to our “SignPath Foundation”) and offer our service for free to open source projects. Due to the certificate being issued to our organization, we need to verify that the binary artifact is built solely from the source code in the public Github repository. We therefore integrate with CI services and check the configuration. Currently, only AppVeyor is supported. Github Actions has often been requested and we have it on the roadmap, but I cannot tell you when it will be supported.

If you are interested in an OSS subscription, I would kindly ask you to fill out the attached form (for each project you would like to apply for, I would suggest to start with one). We can then create a subscription for you with a test certificate. Once your setup is complete, we would go ahead and order a release certificate for you and import it into the subscription.

Looking forward to hearing back from you!

Best regards,

Paul OSSRequestForm - v1.xlsx

@MalloyDelacroix thoughts?

[MalloyDelacroix]

Based on PR #250 and my subsequent testing, I have closed this issue. Of course, this is impossible to test with every anti-virus software that may be encountered. But it does seem, at least at the moment, that this is resolved.

@zacker150 These SignPath certificates are interesting. Reading through the details in the link though, it seems like we would have to change our build/release system and conform to a few requirements. I don't' currently have time to give this the due diligence that it would require. At the moment this doesn't seem to be necessary, but I would definitely like to keep this in our pocket in case this issue returns or we want to pursue this in the future.