Closed StepanOrt closed 7 months ago
Windows Defender
Please stop spamming duplicates about that or I'll have to stop providing Windows builds.
@Martchus Sorry to bring this up again, but I just wanted to let you know that the file that's being flagged as malware is the CLI (syncthingtray-$VERSION-x86_64-w64-mingw32-cli.exe). I suspect most Windows users don't care about the CLI and are only interested in the GUI executable, so if you stop bundling the CLI in the Windows .zip archives then all these false malware reports should stop.
But I like to have the CLI wrapper. Maybe it would nevertheless be the easiest if I'd really just avoid adding it to the zip file. It would still be downloadable via the archive on https://martchus.no-ip.biz/repo/arch/ownstuff. However, this just seems wrong. I don't like to give in. I don't like to set an example/signal for av vendors that they can banish software that easily.
Yeah, that all makes sense and I completely understand. I just noticed the malware warnings on a Windows machine and saw that a bunch of people keep opening GitHub issues about this, so I wanted to let you know that this is a possible workaround.
Thanks for all of your work on this project, I've been using it for about a year and it's very helpful :)
I've submitted a false positive https://www.microsoft.com/en-us/wdsi/submission/344e6e00-4c4f-4c65-8519-47108abd9620.
I've submitted a false positive https://www.microsoft.com/en-us/wdsi/submission/344e6e00-4c4f-4c65-8519-47108abd9620.
I also submitted a false positive and got this back:
Too bad. I looked at https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/criteria?view=o365-worldwide but it is just a generic list of criteria. Without knowing what it is exactly in my binary that meets their criteria it is hard to improve it. Since everything is open source it would be easy to point out a problematic section of source code in e.g. https://github.com/Martchus/cpp-utilities/blob/master/cmake/templates/cli-wrapper.cpp or code in dependencies such as libstdc++ but I suppose that's too much to ask for from their analyst.
They have a dedicated section for developers reporting false positives in their own software. I wonder if they'll be able to give you more information if you report there?
I'll try that later.
I have files a submission: https://www.microsoft.com/en-us/wdsi/submission/d80e5d10-5147-4303-97ef-b384304399d0
Unfortunately it is not obvious how to make the submission publicly visible.
EDIT: The submission was rejected but I filed a dispute. Let's see how that goes.
By the way, for now I guess the best workaround is to add an exclusion: https://support.microsoft.com/en-us/windows/add-an-exclusion-to-windows-security-811816c0-4dfd-af4a-47e4-c301afe13b26
Yesterday I got a response for the dispute. It was very verbosely worded but I guess the gist is that the false-alert should no longer be an issue¹. I had a quick look on Virus Total (where I forced a re-scan) and it looks better, indeed:
So at least it appears now as "Undetected" for the vendor "Microsoft". The most recent release v1.4.10 is even only detected by one scanner (although the detections might just not have settled yet).
¹ This dispute was only about Microsoft Defender. So this response is of course not making any statement about other AV products.
In case you might want to follow them, here are the exact instructions from the response:
The new security intelligence update version 1.401.1671.0 contains changes necessary to resolve your question relating to Syncthing Tray .This new security intelligence update is now available for users who subscribe to the automatic security intelligence update mechanism, as well as users who choose to manually update their security intelligence update library.
We encourage you to try this new security intelligence update and confirm your inquiry has been resolved. If your machine has not been updated with this version of security intelligence update you can download and install the update manually following these steps:
- Go to https://www.microsoft.com/en-us/wdsi/defenderupdates
- Download the corresponding definitions (32 bit or 64 bit based on your operating system)
- Run the downloaded file to install the new definitions
Judging by Virus Total it is still not detected by "Microsoft" anymore. I guess that must be good enough.
Dealing with other AV software is really out of scope for me. If you use other AV software that still detects it you might want to file a submission/dispute yourself. This is an open source projects so I don't see a reason why only "the author" should be able to do it. In case they ask for your company you can just put "not developed by a company" in the form field. At least that wasn't a problem with Microsoft.
See VirusTotal report https://www.virustotal.com/gui/file/834c60c33e6ff2046e73a81edfea56d0df873937bcb44bd2edbc36de88e08242/detection