Window Defender detects trojan in syncthingtray-1.4.3-x86_64-w64-mingw32.exe.zip

[woble]

Trojan:AndroidOS/Multiverze Alert level: Severe Status: Active Date: 2023-06-12 09:29 Category: Trojan Details: This program is dangerous and executes commands from an attacker.

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AAndroidOS%2FMultiverze&threatid=2147785333

[Martchus]

I don't think I can do anything for you except assuring you that the version downloadable on GitHub's release section is not malicious. If you have problems with anti virus software you should contact their vendor. Note that I haven't seen Windows complaining about this using the binaries from GitHub's release section so I also cannot reproduce the problem.

[woble]

My initial thought was that it's likely a false positive, which it probably is.

[Martchus]

Like I said, if you downloaded from the release section it is a false positive. Out of curiosity I've just checked the file with VirusTotal and I still don't see that Windows Defender complains about it: https://www.virustotal.com/gui/file/e52b4a6dfb17ec21d901da60402c8df1b444680eb20603d716d9cd3af8b8135d

I suppose Windows Defender is listed as "Microsoft" there and it says "Undetected". There are some other virus scanners framing the file as malicious. Users of those might try to submit the file as harmless but I am not going to put any effort into this myself.

[ghotz]

FWIW I had the same problem, downloading it through scoop

[Martchus]

I cannot say anything about the version from Scoop as it is provided by someone else.

Note that if you just post a screenshot like this it is not very useful to me. It does not even clarify which Virus scanner was used. Considering I cannot do anything about it, this is likely not very important anyways.

[ghotz]

Yes, not important, I just replied FWIW so that people searching understand it's not a one user problem, but there's nothing much you can do as it seems a false positive that needs to be dealt by Microsoft.

In any case, the screenshot is from Windows integrated antimalware (Defender) and the binaries release is from this repo as scoop doesn't host releases: https://github.com/Martchus/syncthingtray/releases/download/v1.4.3/syncthingtray-1.4.3-x86_64-w64-mingw32.exe.zip

[dreamflasher]

"11 security vendors and no sandboxes flagged this file as malicious"

[superbarney]

@Martchus Are you able to provide the hash for the zip file? I'm curious if the file downloaded from github's server(s) is still the same.

[Martchus]

Actually no, I don't store these files locally. I repackage those files from the direct build artefacts on the fly when uploading. You can also grab the exe from https://martchus.no-ip.biz/repo/arch/ownstuff/os/x86_64/mingw-w64-syncthingtray-1.4.3-1-any.pkg.tar.zst (which is the direct build artefact hosted on my own server independently from GitHub) and compare those. This file is also signed (https://martchus.no-ip.biz/repo/arch/ownstuff/os/x86_64/mingw-w64-syncthingtray-1.4.3-1-any.pkg.tar.zst.sig) which I plan to do for files uploaded on GitHub as well but haven't implemented yet.

[truthsword]

Hopefully a FP, but I switched to the QT5 release as it was "clean".

[Martchus]

It is just a FP, as already stated before. If you don't trust the version on GitHub you can use the one from my own server which is signed via gpg (public key is B9E36A7275FC61B464B67907E06FE8F53CDC6A4C).

[truthsword]

you can use the one from my own server

After traversing your server, I see no x64 pre-compiled release for Windows. Did I misunderstand your post?

[Martchus]

No need to traverse. The first link in https://github.com/Martchus/syncthingtray/issues/189#issuecomment-1596163675 points directly to the archive. It contains the i686 and x86_64 versions for Windows. The "static" version is a self-contained executable that should be identical to the version from GitHub (as the binaries on GitHub are really just re-wrapping the contents of the .pkg.tar.zst archive).

[woble]

Somehow scoop managed to install it. But when I download it manually, Defender flags it. 🤷

[dreamflasher]

The QT5 version works for me as well.

[taki-eddine-47]

I don't think I can do anything for you except assuring you that the version downloadable on GitHub's release section is not malicious. If you have problems with anti virus software you should contact their vendor. Note that I haven't seen Windows complaining about this using the binaries from GitHub's release section so I also cannot reproduce the problem.

You can reproduce the problem using VirusTotal, it's an online solution and complains about 37 virus, I hope this helps, meanwhile QT5 is clean https://www.virustotal.com/gui/home/upload

[Martchus]

The Qt 6 based version is "clean" as well. Those are all just false positives. Please don't bump this closed issue again and again.

I also already know VirusTotal, see my second comment here.

Note that anti virus software is generally out of scope here. If some vendors produce software that frames my software as malicious that's their shitty business. If someone wants to deal with such kind of software that's fine but I personally won't put effort into helping them to improve their obviously misguided algorithms to "frame" other people's software.

[jcotton42]

I have submitted a false-positive report for Windows Defender with the latest release of the 64-bit QT6 version of SyncthingTray. I'll keep an eye on the report and let you all know what happens.

[jcotton42]

Appears to be remediated now