Windows Defender doesn't like PageEdit-1.0.0-Windows-x64-Setup.exe

[BobFlanagan1]

I tried to run PageEdit-1.0.0-Windows-x64-Setup.exe on two computers. Windows Defender on one and Trend Micro on the other. Both blocked the exe from running. No real details. Just that it was a suspicious file.

[BobFlanagan1]

Further on this: TrendMicro says pageedit.exe is infected with HEU_AEGISCS934 TSC_GENCLEAN

[kevinhendricks]

Its not if you downloaded directly from releases here on github and no place else. And the sha256 checksums matched those for the release.

The entire source code is there to look at.

So not much I can do but tell you to complain to your Anti-Virus provider.

Closing this as not an issue we control.

[dougmassay]

I was going to say much the same. There's not much I can do about their overly aggressive heuristic false positives. I'll just point to the freely available source code and leave it up to users whether they want to exempt PageEdit or not. No skin off of my back either way.

[BobFlanagan1]

I understand your points and I appreciate the work you do on the software. I just wanted you aware of the software being flagged as potentially having a virus. Not being a programmer in the languages you use, it is impossible for me to review the code as you suggest. As I am not the author of the software, I am not in a position to report false positives to Microsoft or TrendMicro. Please consider resolving the issue so others do not turned away because of the warnings. I have published software and have had false positives. It only took a little work to report and eliminate. I considered a false positive as a royal pain, but one that required immediate action for the credibility of my software.

[dougmassay]

I've no interest in interacting with Trend Micro, or any other antivirus company. They'll figure it out or they won't. There's always been a certain amount of trust necessary when using free open-source software. We've either inspired that trust (and other users will vouch for us) or we haven't. And I'm OK with that. I'm not going down the rabbit hole of chasing false-positives, or buying my way onto "trusted" publisher lists for what basically amounts to a hobby project.

[kevinhendricks]

FWIW, Trend Micro has one of the worst rates for false positives according to this 2019 study:

https://www.av-comparatives.org/tests/false-alarm-test-march-2019/

[dougmassay]

I updated Defender's definitions on my Windows 10 machine and downloaded a fresh copy of PageEdit 1.0.0 from github and Defender didn't complain about the installer (other than the usual ridiculously scary warning about files downloaded from the internet being super, super dangerous and please click here and hold your tongue just so if you want to run it anyway) or the PageEdit binary. Nor did it block PageEdit from running.

I can't test what Trend Micro might do. I learned long ago not to run two different realtime antivirus scanners on the same Windows machine. I roll with Defender alone and have never had a bit of trouble on Windows 10.

[eli-schwartz]

I'm filled with great confusion: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TSC_GENCLEAN

According to this, the threat which has been detected in pageedit.exe is the malware:

This is the pattern for GeneriClean.

GeneriClean is a Trend Micro technology that ensures coordinated system cleanup operation. When your Trend Micro product detects a malware on your computer, it sends a command to the Damage Cleanup Engine (DCE) to perform system clean.

To enable the latest GeneriClean, the following are necessary components:

Trend Micro product that supports GeneriClean technology and has this feature enabled
DCE version 6.1 or higher
DCT OPR 1070 or higher
TSC.INI with 55 entries under secured policy section 

The GeneriClean technology has the following features:

Disables malware-related services
Deletes re-spawned autostart registry entries upon reboot
Detects and removes malware rootkit components
Detects and removes malicious ADS files
Terminates malware running processes
Deletes related autostart registry entries
Deletes component files such as AUTORUN.INF
Restore general policy settings to Trend Micro recommended settings 

[eli-schwartz]

At any rate, I'm fully confident in PageEdit enough to continue offering it in the appstore / software center for a major linux distribution...