Antivirus false positives issue

[rubin110]

Hit this through the installer. The binary also hits a similar snag.

[RevelaAutumn]

I just updated my defender database and scanned my AltDrag directory without issue, for Ranomn's v1.40. Is it possible you have a compromised browser or something that is infecting downloaded items in flight?

[rubin110]

@RevelaAutumn Can you please confirm by grabbing a friend copy of the installer binary and zip from: https://github.com/RamonUnch/AltDrag/releases/tag/1.40

My Windows Defender updated its definitions today (March 18th, 2021), and has no problems with any of the prior versions tagged in this repo.

Hash of AltDrag1.40-inst.exe SHA256 95058B927BA16BCDEB403A498483D8F89812990D1DC2B44B950EDC682FE66239

https://www.virustotal.com/gui/file/95058b927ba16bcdeb403a498483d8f89812990d1dc2b44b950edc682fe66239/detection

[rubin110]

I can confirm the hash matches downloading the installer via a couple other machines scattered across the internet.

[RevelaAutumn]

Confirmed, I am also getting this issue now on the v1.40 exe and bin zip.

[RamonUnch]

Some anti virus detect AltDrag as a virus, however it is a false positive. The reason is that AltDrag in order to function properly needs to hook the keyboard and the mouse at a system level. Hence it looks suspicious to any behavioural antivirus.

The original AltDrag had similar issue. https://github.com/stefansundin/altdrag/issues/112 I invite you to compile yourself from the source and you will have the same problem.

You can see on www.virustotal.com the "Win32/Trojan.Generic.HoMASQ8A" meaning that no specific virus signature was found but this is a suspicion using a generic filter. You can also see that All the other AV detect nothing. Most AV only use signature database and AltDrag is not actually infected.

EDIT: Also maybe the new "Kill program" action is detected as suspicious by some AVs.

[rubin110]

Is there a reason why the prior versions aren't detected as such?

[RamonUnch]

I would be interested to know why, I will investigate this further. I changed some compilation flags for compatibility wint GCC 10, this may have an effect on "suspicious PE header"

[RamonUnch]

I can confirm that changing any compilation flag can add or remove several detections on virus total. I will try several combinations to see what minimize the alerts.

[RamonUnch]

Also different nullsoft installer versions give different alerts, I use the stable 2.51 and if I use the latest 3.06.1 I get even more alerts. It is really annoying.

After changing more flags on AltDrag, here are the optimal parameters (for AVs): AltDrag140bin.zip One 'Unsafe' from Cylance https://www.virustotal.com/gui/file/8f405e3739413c50f21df00f9d4f34c8853dd213364646f560a8fc677670a0c7/detection

I usualy disable the GNU stdlib (with -nostdlib flag) because it is very buggy and created crashes for me in the past (on Win10), but some AV software find suspicious any exe that are built with this flag, so I am now hesitant to re-enable it (like above), because it is potential trouble for me in the future, and it would be just for the sake of less false positive on AVs.

For Microsoft WinDefend the problematic flag was the -D__USE_MINGW_ANSI_STDIO=0 that is necessary for GCC 10, but for now I use gcc8, so it does not matter. I think I will stick for the next release with the v1.39 compile flags; This should be allright with WinDefend.

I fear that someday any compiler that is not from MS will be blacklisted by AVs and open source projects will be less trusted than proprietary software.

[rubin110]

@RamonUnch Thank you for digging so deep into this!

[RamonUnch]

Also it seems NSIS 2.46 gives less warnings than 2.51.

[RamonUnch]

For AltDrag 1.41 Latest installer has still warnings: https://www.virustotal.com/gui/file/8e7c4cc4f1a42400ffefd2063ddc8e82d8f36793d7fbf34818724c76ac901f9c/detection

Latest zip has 4 warnings, using the latest TDM GCC9.2 with the -nostdlib flag, if you remove the -nostdlib flag, you can even less but I do not want to use the stdlib for reasons previously stated. More code means always more vulnerabilities anyway. https://www.virustotal.com/gui/file/3a69836dc80d3e7df7d867818348975066188ed33c5e3d2766d24acf4b370b88/detection

Microsoft WinDefend is no longer giving warning, which is the most important.

[rubin110]

After installing, running, and attempting to change the settings, Windows Defender deleted the executable. :(

[RamonUnch]

The sreeenshot you are showing me is still v1.40... Use latest 1.41 I will not modify the the old versions because it would make no sense (as it is a false positive and not an actual virus that infected the file) and it would break the chocolatey package.

EDIT: Ok Win Defend now give me differents results with the EXACT same file (checked the hash) within 1 day. probally some update I did not see. Try again the installer of 1.41, that I updated (not yet in choco).

EDIT2: I cannot find a way to make the installer not blocked by WinDefend for now.

[RamonUnch]

Also adding the -Wl,--build-id linking flag for removes Avast's false positive on AltDrag.exe

[bufferUnderrun]

Hey guys !

First, THANKS YOU SO MUCH @RamonUnch for refactaring the old altdrag and going to the next level, no more bug anymore !

Same issue as @rubin110 for the v1.40 : windows defender treat it like a trojan since this morning. I just download the v1.41 and it works just fine as windows defender do not detected it as rootkit.

Thanks !!

[rubin110]

This does work for me now. Thanks!

[bufferUnderrun]

well, the today windows update is detecting the new v1.41 as malware. I'll add an exception to avoid this...

[RamonUnch]

You get a positive on the setup only or on the AltDrag.exe file. At this point you could report a false positive to MS.

EDIT: I just did report that to Microsoft, I will keep you updated with the discussion.

[bufferUnderrun]

I get a positive for both.

[RamonUnch]

Microsoft is quite reactive. Here is what they sent me:

altdrag1.41-inst.exe

Submission ID: e24c5e26-c9f9-4d4f-a635-4697bd52f7be

Status: Completed

Submitted by: REDACTED

Submitted: Mar 30, 2021 17:04:19

User Opinion: Incorrect detection

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

[bufferUnderrun]

It works !

Thanks !!

[RamonUnch]

For now I get a negative with the latest 1.42 but I am not sure if it will stay that way. If you have any problem, tell me and I will submit again to MS.

[bufferUnderrun]

i think we've to deal with it... so i keep the exception in defender's settings.

[RamonUnch]

OK, I do not get it: when I make a first scan WinDefend is OK and at the second scan it detects it. I again reported to Microsoft.

Hopefully 1.42 will be stable and I will not need to update it for some months, It is important for new users that WinDefend dies not report a virus, otherwise they will assume the app is malicious.

I think that the Anti-Viruses are copying each other's db, as now If I look to virustotal on the same 1.41 file, there is the double amount of false positive, compared to the first scan I did.

[bufferUnderrun]

I agree about the new users, they have to trust the app, so no warning from antiviruses. I'll test each version too and send feedback if needed.

[RamonUnch]

altdrag1.42-inst.exe Submission ID: 0dafdfaf-76d9-4a48-8300-2617a8dbe954 Status: Completed Submitted by: REDACTED Submitted: Apr 1, 2021 12:04:20 User Opinion: Incorrect detection

Analyst comments: We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
 2. Run "MpCmdRun.exe -removedefinitions -dynamicsignatures
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

[RamonUnch]

altdrag1.42-inst.exe 15/69 on virus total And no more from Microsoft! https://www.virustotal.com/gui/file/f7f545e40440bf28210572010da3c4ac50a0bbcdbbdc0dc869aa432385fe1551/detection

EDIT: Today on April 3 2021, after submitting a few demands false positive demands, there is only 8/69 false positive.

If anyone uses some AV that detects it as false positive, then I suggest you submit a false positive to the company developing the AV. Of course check that the SHA256 of your file is: altdrag1.42-inst.exe SHA256: F7F545E40440BF28210572010DA3C4AC50A0BBCDBBDC0DC869AA432385FE1551

[RamonUnch]

Other note: It seems that If I remove the dependency from msvcrt.dll then I get much less alerts from VirusTotal. This will be the case for next release (1.43).

Latest v1.43 only 3/69 on Virus Total https://www.virustotal.com/gui/file/ba170c1b2be713fae625d5b69f1a2248b8e209ede260d2bb77dca1f32530cdce/detection

EDIT: I submitted a false positive issue for all 3 vendors that flagged the file.

Edit 2021-05-28 it seems that we have now 0/69

[RamonUnch]

Latest AltDrag 1.44: https://www.virustotal.com/gui/file/0c587691dfd2bb5a65d54ef6b7be36997edab98b55e3ab1d4a0508da8602a48f/detection (1/68) from SecureAge APEX. I submitted a false positive issue. EDIT: Now 0/69

[RamonUnch]

Latest 1.45: 2/68 on Virustotal: https://www.virustotal.com/gui/file/3b45f3d8a022221e5e5fb405d2a2c1a4443152eac6c62832c15b9216e69e0a76/detection Again from SecureAge APEX and Palo Alto Networks I will submit false positive isues

EDIT: on 11/07/2021 (0/68) alerts!

[RamonUnch]

AltDrag 1.46 2/69 on Virustotal.

https://www.virustotal.com/gui/file/46c8338616a2a9ea07245616a90d511639f9a8222091491caf9d209bc6fd3346/detection

Again from SecureAge APEX and Palo Alto Networks I will submit false positive isues

[RamonUnch]

Number of false positive is low enough, I close the issue and it will remain linked in the README FIRST pinned issue

[anodynos]

I got this today with 1.48

[RamonUnch]

I do not get the same according to virustotal.com even from Avast AV, be sure to have an up-to date definition and be sure that your files are the same than from the source. AltDrag.exe (x64): sha256: 26D10B5BBDBBC433D88D795233EA155D6C381DA35DA7FC3B845EDB9DCB6C187E hooks.dll (x64): sha256: F8D64A4FF2CFEA96B0BC9DCB1A2956657B8CA91D14D66421AC2C2B7AECCB31AD

AltDrag.exe (x32): Sha256: A479D8401A6A100511D1C60C37370E03FBE45B77442A667B79A9FA8A6185AC65 hooks.dll (x32): Sha256: F4C691A8CAA3CB5BB51552B49DF5F251C599DE3C3D495C7FC792FEC12C879897

If your checksum are not matching, then you got infected, otherwise, you can ignore the error and add an exception to Avast and submit them a false positive issue.

According to the IDP.Generic flagging, I guess it is some generic heuristic that triggered it, so it is an indication that your file is probably not infected.

I am not an Avast user (and will never be) so I will not submit this to the avast team because it would make things quite complicated for me.

[anodynos]

I got it again on 1.62 & reported it...

[anodynos]

And they added it to ignore list: