1.5.2 Detected as malware

[Presac]

More specifically, my antivirus (Bullguard) detects is as a malware: Trojan.Generic.22695465 I can still run version Beta 1.4.2 without problem.

[Plytas]

Same here. Got 1.5 working fine, when updating to 1.5.2 nod32 detects it as generik.leeakmq

[Travis6817]

Windows defender on Windows 10 detecting 1.5.2 as Trojan Win32/Bitrep.A and Trojan Win32/Triggre!plock Reference imgur images: 1 2

[t-v]

same thing

[eagle79]

Also being flagged by Norton. Detected as Trojan.Gen (https://www.symantec.com/security_response/writeup.jsp?docid=2010-022501-5526-99)

[jacob-keller]

I'm also seeing this.

[good-live]

https://www.virustotal.com/de/file/8b05963e50917a2179d77bca8696d86a80cfcdc0c7f8cf1684dfcd8562354d62/analysis/1514105605/

[KairuByte]

I haven't looked through the new code since it was released, but these appear to be potentially false positives. They are all identifying LaunchBuddy as Generic Trojans, not as a specific trojan.

That said, there is likely something going on with the auto download of new updates alongside the crash log analyzer that is causing this to be flagged, and some work could be done to prevent the false positive.

[jacob-keller]

This is quite annoying because windows defender doesn't seem to honor the request to ignore it and unquarantine it. This results in continual deletion of the binary. I haven't found a way to tell windows defender to allow it permanently.

On Dec 28, 2017 8:07 AM, "KairuByte" notifications@github.com wrote:

I haven't looked through the new code since it was released, but these appear to be potentially false positives. They are all identifying LaunchBuddy as Generic Trojans, not as a specific trojan.

That said, there is likely something going on with the auto download of new updates alongside the crash log analyzer that is causing this to be flagged, and some work could be done to prevent the false positive.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TheCheatsrichter/Gw2_Launchbuddy/issues/56#issuecomment-354312032, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1Y30jYlwykAu0kz49vesHnuFhUqpi8ks5tE7zTgaJpZM4QzWUD .

[KairuByte]

I'm assuming you've attempted this: https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-defender-antivirus

That said, I'll see what can be done. If I can get a decent auto updater in place to keep with the clean approach that is not detected as a trojan, I'll push the code. If I can't, I'll likely roll back to the old update method... which I hated, but hey it didn't break things!

[jacob-keller]

Yea that's what I tried, and it works for a day or two, and then it detects it as a different "generic" trojan, and deletes it again.

On Thu, Dec 28, 2017 at 4:56 PM, KairuByte notifications@github.com wrote:

I'm assuming you've attempted this: https://support.microsoft.com/ en-us/help/4028485/windows-10-add-an-exclusion-to-windows- defender-antivirus

That said, I'll see what can be done. If I can get a decent auto updater in place to keep with the clean approach that is not detected as a trojan, I'll push the code. If I can't, I'll likely roll back to the old update method... which I hated, but hey it didn't break things!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/TheCheatsrichter/Gw2_Launchbuddy/issues/56#issuecomment-354382055, or mute the thread https://github.com/notifications/unsubscribe-auth/AA1Y3yRDko4Fji2o5WyCEH7r0DwCJ_h6ks5tFDjQgaJpZM4QzWUD .

[KairuByte]

It appears the updater alone is not the main problem, it's likely an interaction between different sections of the code causing the false positive.

This release which is based off an admittedly older version (1.4.2) should have some improvements over 1.4.2 but will not have the features of 1.5+. It also registers as Trojan.Win32.Generic on only 2 of 67 scanners.

You can use that version if you are willing to deal with a different (and lesser) feature set than 1.5+ as well as more bugs (the code is incomplete, essentially alpha).

If enough people use it and report any bugs I can look into getting it "complete" and pulling in 1.5 features, checking virustotal along the way.

[Presac]

Can we somehow figure out which addition gets is detected as a virus?

https://github.com/TheCheatsrichter/Gw2_Launchbuddy/compare/1.4.2...1.5

[KairuByte]

Do you mean which binary? Throw it in virustotal and look at the results.

If you mean specifically which piece of code, that is much more difficult.

The way viruses are found is by scanning the file for patterns in the code that either match an existing virus or in the case of launchbuddy “looks suspicious”, meaning that it has the potential to do bad things. Sounds easy enough to fix, just change the code to not match the pattern. The problem is that we don’t have a way to tell which section of code is the problem. And simple unrelated changes can cause more or fewer hits. For example the current alpha release of the refactor branch only shows 2 hits on virus total, but I made some changes and the next commit had 3 hits.

There are ways to whitelist the application with the majority of the scanners but it’s not a fast process and my understanding is that it would need to be done every release.

[TheCheatsrichter]

Main focus might be on the Versionswitcher and the Crashanalyser as these commits had the biggest impact between the versions. I compiled a few versions with small codes differences and let Virustotal check them however without success. As the refactor branch at some point will be merged with the master branch I currently will wait until I have tested it vs known issues and to not collide with eventually existing changes which aren't commited yet. After that I will revisit the false possitives and possibly rewrite the crash analyser if needed.

[t-v]

Just wanted to update. With your reupload, it is looking better, but still flagged by one: https://www.virustotal.com/#/url/1c2e873b0a960a03da2bedfcdc5f2755cf8f8758dd2309c2378cb34dfaedb34e/detection

[KairuByte]

That one isnt even slightly descriptive, so I have no idea why it would be throwing it. At least it's an obscure scanner and not a widely used one.

As for the main problem, I think we have likely narrowed down the problem, and a future version should handle it without the need to compile it the way it was to fix the problem (debug vs release).

[t-v]

if it helps more, this is what Windows Defender identifies it as: https://go.microsoft.com/fwlink/?linkid=142185&name=%3CTrojan:Win32/Tilken.B!cl%3E&threatid=%3C2147722740%3E

[t-v]

or a better online scanner: http://nodistribute.com/result/cyO2UGBgVnqED8Y3NMdlR7aT

[KairuByte]

Is that scan using 5.2 or the latest release?

[t-v]

both were the latest release

[Presac]

I currently can't run any version of launchbuddy. The .exe gets blocked in build 1.4.3.a1 and 1.5.2 when I try to build them. Antivirus(Bullguard) notes it as Malware: Gen:Variant.Ursu.80032

[TheCheatsrichter]

Version 1.6 is a merge between Version 1.4.2 and the refactor branch. So far not AV flags

[t-v]

After a few months, I once again pulled a few reports:

• 1.5.3
• 1.6.0
• 1.6.1

And it seems 1.6.1 is still flagging

[Presac]

It is only Avira that flags 1.6.0 and 1.6.1. though. The rest says good for it.

[ReportAnIssue]

As reported in (Launchbuddy Alpha 1.6.1 treated as having Malware #72) my virus checker (Vipre) is still flagging the virus Variant Razy.358320 when I download Alpha 1.6.1 . So it seems no work has been done to rectify this issue. I really don't want to risk my pc so I can't allow the threat without reassurances that it's just a false positive.

[Presac]

The newest version is up to quite a lot of flags again. 1.6.2 23/68 flags

[Presac]

Down to 16/66 now. VirusTotal

[KairuByte]

I just ran some virustotal.com scans of my local build. debug is clean, but it seems something in release is still being detected as a trojan on two engines.

The problem is that when I turn off the debug flag, which means the code should be identical pre compilation, we still see no false positives.

This means that it's literally the code optimization being done between the debug and release versions. TBF this is about as "clean" as the scans are going to get, as it isn't a good idea to push unoptimized code as a release.

That all said, I'm going to close this as a wontfix, mainly because we cantfix.