Newest download flagged as malware?

[theskiratta]

When trying to use the newest version (3.0beta1), my Antivirus flagged the TypeTreeGenerator.exe as malware and removed it. A VirusTotal scan of the newest version yields a similar result. What is up with this?

[ssokolow]

If less than 10% of the scanners on VirusTotal (and especially if it's 6 or fewer) report a problem, it's 99% guaranteed to be the heuristic detection doing something like "The official download for NSIS looks like a virus because viruses do installer-y things and we haven't whitelisted that installer" or "You made a brand new self-extractor from known-clean data using a freshly installed copy of StuffIt for Windows off a professionally pressed CD-ROM on a known-clean system... but some virus used StuffIt compression with the "StuffIt Self-Extractor for Installers" mode to obfuscate itself at some point in the past, so your self-extractor must be a virus". (Both true stories.)

A single positive result out of VirusTotal's entire stable of scanners basically means "Ordinary file... but from someone without the clout to get it whitelisted".

Hell, when I was using the Kaspersky Rescue Disk on a PC a few days ago because I was concerned that someone might have run a version of the Unlocker installer that nearly half of VirusTotal claims installed adware, it found two results...

1. A copy of either the the NSIS or Inno Setup (I forget which) build tooling which it defaulted to Skip (A.K.A. ignore) and flagged with green text saying "Has legitimate uses but can be abused by malicious people"
2. A substitute dinput.dll in the folder for the Drakan: Order of the Flame level editor (probably from some compatibility patch for newer Windows) which, when fed into VirusTotal, gives two positives out of 66 scanners... from Cylance and Rising... neither of which is Kaspersky.

If enough scanners that actually tell you the name of the threat report a problem, you can confirm it's a heuristic false positive by looking for scanners reporting completely different threats for the same file with components like Gen or Heur in the threat names. See, for example, my StuffIt self-extractor link. (Is it adware? A trojan? Something else? ...yeah right. You're just freaking out because the StuffIt Self-Extractor Stub is compressed using UPX and you're too lazy to include an unpacker for it.)

[Kylix-Tyfurious]

Chrome also blocked my download due to finding a virus as well as Windows Defender detecting it as a virus. Current as of 9/25/24