Windows security recognizes pixivutil2 as Malware

[Butterfly-Dragon]

Prerequisites

• [x] Did you read FAQ section in readme.md?
• [x] Did you test with the latest releases or commit ?
• [x] Did you search for existing issues in Issues?

Description

Windows security recognizes pixivutil2 as Zpevdo.B

Steps to Reproduce

1. execute Pixuvutil2
2. Windows security takes action

Expected behavior:

normal execution

Actual behavior:

windows security blocked internet access and i had to "unquarantine" the "severe" threat

Versions

2021-07-02

[Nandaka]

pls run from source code if you are not sure, no changes will be provided on the exe (or rather I cannot do anything).

[Butterfly-Dragon]

Oh, i know you did nothing and that your program does nothing wrong.

I am just warning you that as of this morning it gets recognized as such, so you can take steps to avoid it.

[Nandaka]

Fyi, I tried to scan locally and it didn't detect anything.

Also I tried to download the file in https://github.com/Nandaka/PixivUtil2/releases/tag/v20210702 = it didn't detect anything.

[Butterfly-Dragon]

that contrasts my experience this morning (a couple of hours ago)

[GoAwayNow]

Virus Total confirms Microsoft detects it, along with eight other antiviruses.

https://www.virustotal.com/gui/file/fd67f71e83e00d5baf325ba983da38a4787f38602e90e58e5b85e79cf4dffcb4/detection

[Nandaka]

Weird, what is the SHA256?

10FAB3245175FCE17D6D15C6E766AD6027F74F49BC9FEF78FB2AA5AAF0C28F58

[Nandaka]

Here is the result from virus total, but I don't see Zpevdo.B

EDIT: ah, you only scan for the exe. Somehow it got different result.

[GoAwayNow]

The scan I linked was of PixivUtil.exe, not the release zip. EDIT: Yup, not sure why it comes out different sometimes.

Also the SHA256 of the zip is the same as yours.

10fab3245175fce17d6d15c6e766ad6027f74f49bc9fef78fb2aa5aaf0c28f58

[Nandaka]

I guess if you want to avoid this, you can run it from source code, which have better compat, see https://github.com/Nandaka/PixivUtil2/wiki/IDE-Enviroment-(Windows)

[ShiroTora]

i get a virus sresult from MSE

so do this mean the windows version is harmfull if i set it to exclude?

[gnarf1975]

Same problem. Switched to previous version.

[Nandaka]

run from source is recommended: https://github.com/Nandaka/PixivUtil2/wiki/IDE-Enviroment-(Windows)

[Butterfly-Dragon]

it says you need to "download the required library:" but does not say which. Will try later if there actually is anything to add or if it is all handled by the "requirements.txt" once i have time to exist.

[Nandaka]

pip install -r c:\pixivutil\requirements.txt

This will add the required library.

[Butterfly-Dragon]

i tried that... all i got was to get pixivutil2.py removed by windows as "being remotely controlled by an agent"

[Nandaka]

the heck, then I have no idea anymore...

[Butterfly-Dragon]

probably misidentifies some component as a "remote agent" and actions are taken to prevent it taking control.

That said for now i went under:

settings>update and security>windows security>virus and threat protection>virus and threat protection settings>exclusions>add exclusions

and added PixivUtil2.exe and .py as exclusions

[FriedGenera]

Was PyInstaller used for the exe? Apparently it causes a bunch of false positives

[Nandaka]

it uses py2exe 0.10.4.0 from https://pypi.org/project/py2exe/

[FriedGenera]

Do you use the precompiled bootloader? If you do, recompiling your own might get the false positive detections to go down, but after that there's not much else to do other than reporting it to the companies.

[FriedGenera]

I went ahead and submitted it to microsoft, so hopefully they'll clear it and windows defender doesn't keep quarantining it.

[Nandaka]

Do you use the precompiled bootloader? If you do, recompiling your own might get the false positive detections to go down, but after that there's not much else to do other than reporting it to the companies.

I'm using pip to install/update the library, so I don't think it re-compile anything. I assume it just use the packaged whl file.

I went ahead and submitted it to microsoft, so hopefully they'll clear it and windows defender doesn't keep quarantining it.

Thanks 😄

[FriedGenera]

Alright Microsoft got back and said it was cleared, just checked virustotal, it's no longer showing it as detected under Microsoft-

https://www.virustotal.com/gui/file/fd67f71e83e00d5baf325ba983da38a4787f38602e90e58e5b85e79cf4dffcb4/detection

If someone can test if defender still quarantining that'd be great

[Revemohl]

@Nandaka Looks like this is happening again with v20210822, but it's detecting Trojan:Win32/Wacatac.B!ml instead. Didn't want to open a new issue because it's basically the same thing as this one.

[shinji257]

It seems to flag the zip but nothing inside the zip. I unpacked it and had no further detections from it.

[Nandaka]

weird. I also try to compress it as 7z and it still show as virus in virustotal...

[Nandaka]

recompile with py3.8.10 got slightly different result.

[densetsumeru]

Windows Defender decided it's something new today.

[shiinjii]

3 detections in 1 day

[DisasterInbound]

run from source is recommended: https://github.com/Nandaka/PixivUtil2/wiki/IDE-Enviroment-(Windows)

This is my first time I'm running it from source. Is this going to detect the old database file, settings, etc. or do I need to do something to else to restore them?

Never mind. I managed to do it by copy and pasting the config.ini and db.sqlite files to the source folder.

[kial0218]

Avast recognizes 'PixivUtil2.exe' in 'pixivutil20220924-64bit.zip' as malware. Even if an exception is handled, the command prompt window is immediately closed.