Syncplay-1.5.0-RC1-Setup.exe throws malware warnings from Windows Defender and Trend Micro Maximum Security (at least)

[jwfxpr]

Considering the number of recent high (and low) profile cases of attackers injecting malware into both open and closed source software updates recently, I'm sure the Syncplay project would rather not have any question of the legitimacy and hygiene of the latest version. I'm honestly not sure what you could do to prevent the malware warnings, but at least an acknowledgement on the download page and news page that the issue exists, perhaps alongside the verifiable hash of the installer as compiled by your team, would help.

[albertosottile]

Just a question: does your antivirus detect the software as a malware when you open Syncplay, or when you close it? Thanks.

[jwfxpr]

To be clear, I'm not reporting that it's flagging Syncplay per se, it's flagging the installer file before installation. On my Windows 10 PC it was flagged promptly after it finished downloading, and again when I attempted to open it. Since I frankly can't find any way to verify the installer on the website (hashes, signatures, etc, any method at all really) I haven't installed 1.5.0 RC1 at all. I'm sure I'm not the only one with this reaction.

[albertosottile]

Ok. I asked that because, on my Windows 7 system, Avast is flagging Syncplay.exe as IDP.Generic right after I close it. I guess a lot of these issues could be solved by signing the .exe files, but proper certificates are quite expensive.

To mitigate this, I agree that we could put MD5 and/or SHA-256 hashes on the GitHub release page and on syncplay.pl.

[FSMaxB]

Many antivirus products nowadays flag new unknown executables preemptively, even though they don't match any known malware signature or behavior.

This is quite annoying, and neovim also had problems like that. Other than signing executables there's nothing that can be done!

[jwfxpr]

That would certainly be a good step. Since Windows doesn't have any easy way to check hashes, I'd also suggest a link to a trustworthy, lightweight hashing program. Two options I know of are https://www.microsoft.com/en-au/download/details.aspx?id=11533 or https://www.quickhash-gui.org/

I assume it's flagged as a generic threat because of the IRC client components. I can't see much way around that, so I guess it's a matter of mitigation by informing people that they may get the warning.

[Et0h]

Putting hash info on the website is a good idea. I could also note that Softpedia certifies us as 100% spyware, adware and virus free at http://www.softpedia.com/get/Multimedia/Video/Other-VIDEO-Tools/Syncplay.shtml#status if people think they are a trusted source.

Syncplay-1.5.0-RC1-Setup.exe Size: 9,293,396 bytes

---QUICKHASH--- MD5: 54942A82398C94E7EFBE878012F59875 SHA-1: F0539B1E46D3AF24F79C81AF3EF7D11DDC3E2278 SHA256: 03DA84A8C7A59F289CE38A122C9BE43151769C932AEF8582C390196CF908F4E9 SHA512: 038CEBE701E88EE555F5B078F443F11BE93413903A76B617A11EE5F4B12C190322EF3E6394E913DD34E209A9C3ED6FE19762A174592A5788FA19DE35A9E1F01E xxHash64: E0DAF1710147E57E

[jwfxpr]

Does Softpedia allow folks to display their certified software badges on their own sites? That may help encourage user trust, along with the hashes and a brief warning that it may be erroneously flagged as malware, to set expectations.

[albertosottile]

I did not find anything on the Softpedia website, besides this sentence here "Note: this award is offered by Softpedia and can be used only by the developer of the software product that received the award." , which, in any case, seems to indicate that we could put that logo on the website.

[Et0h]

Yes, we could mention Softpedia but I don't know if people think of them as a reputable source or not. https://virusscan.jotti.org/en-GB/filescanjob/kypjvdgyyf is also another source which says we are safe and it might be a more of an authority as it states which virus scanners were used to determine that the software was clean.

[xNinjaKittyx]

I'd like to add my opinion that Softpeida badges are so overused, and I personally don't see it as meaning anything. Others might think otherwise.

If possible, there should be a solution to prevent syncplay from being flagged in the first place. (I personally don't know how though)

I also like the idea of adding hashes to the download page.

[Et0h]

I've never done this before, but my understanding is as follows: To get past "unknown publisher" notifications in Windows installers one can purchase a GlobalSign Code Signing Certificate which costs $289 a year. However, to get "immediate reputation with Microsoft SmartScreen" one needs the more expensive "Extended Validation" version of the certificate which costs $410 a year. So yeah, probably not going to happen.

In the meantime, I've added the hashes to the website and a link to the Jotti. Whether we keep a link to Softpedia or not will depend somewhat on people's views as to whether they think they and/or the average user will see it as a good, bad or neutral thing to advertise us having 100% Free Softpedia status.

[Et0h]

The Syncplay website has now been updated to link people to the Jotti and VirusTotal clean scans of Syncplay and to include the relevant hashes (which are themselves listed in the Jotti/VirusTotal scans to show they are scanning the same as what you downloaded).

I don't want to overplay the Softpedia guarantee for now because, unlike the other services, they do not currently seem to provide details about the engines or procedure they used to come up with the certification. Their website simply saying Syncplay was "tested thoroughly" by Softpedia is a little too vague for my liking.

Thanks to everyone who has provided input on this matter - I'll now consider it close as the issue has been resolved as far as can reasonably be expected within the constraints of a small-scale non-commercial project.