humble_v0.11.0_win.zip flagged for Trojan.Cometer.cmb by Jiangmin scanner at VirusTotal

[mwarrenus]

Describe the bug VirusTotal's run of the Jiangmin scanner flagged humble_v0.11.0_win.zip as containing Trojan.Cometer.cmb.

Expected behavior Downloadable releases of the Humble Bundle plugin for GOG Galaxy should have a clean VirusTotal scan prior to posting.

Plugin installed Manually from the releases page of the UncleGoogle/galaxy-integration-humblebundle repository

Provide logs Please see the VirusTotal scan report for humble_v0.11.0_win.zip.

Edit: Perhaps the VirusTotal GitHub Action could be used to automate this check.

[UncleGoogle]

@mwarrenus thanks for the report!

I see 2 possibilities:

1. false positive
2. one of dependencies contains encrypted trojan (yes, I didn't lock dependencies so it was possible that malicious actor updated one of dependency of direct dependencies)

I'm marking this release as potentially dangerous to discourage from downloading.

---

Please help me with finding the culprit file -> if you have such option in VirusTotal (isolated sanbox ect.).

[UncleGoogle]

@SilmorSenedlen and @SparrowBrain -- making you, as you already reacted with emoji to that release. My recommendation is to remove / downgrade.

@mwarrenus did you ever used older plugin releases w/o antivirus complains?

[SparrowBrain]

Thank you so much for the heads up! Gonna remove for now. Overall really like the plugin, thanks for all the work!

[Theblockbuster1]

I suspect that it may just be a false positive as only one antivirus has detected malware.

[SilmorSenedlen]

My recommendation is to remove / downgrade.

Thx for info.

[SparrowBrain]

ESET scan didn't detect any issues

[Dr-Flay]

You can guarantee it is a false positive. When a Chinese AV that is designed to think everything is a threat, but none of the trustable AV see a threat, you can have faith it is fine. If Bitdefender, Avira, Kaspersky, eset and MalwareBytes detected something then it is worth worrying.

[Ozzuneoj]

@SilmorSenedlen and @SparrowBrain -- making you, as you already reacted with emoji to that release. My recommendation is to remove / downgrade.

@mwarrenus did you ever used older plugin releases w/o antivirus complains?

Just curious... is there any update to the status of this? Should 11.0 still be avoided? Thank you.

[Theblockbuster1]

@Ozzuneoj In my opinion it should be completely safe, I'm using it and I seem to be doing fine. It's up to you of course, but I'm quite certain that it's just a false positive. If 59 out of 60 antiviruses say that it's safe, I'm not going to listen to the 1 that says otherwise, especially if it's just from some company which I've never heard of.

[Bertaz]

This is a false positive. The modified files between 0.10.1 and 0.11.0 are only those: 3 text files with no malicious edits and 1 binary file normalizer.exe. The binary file has full clear on VT for both version 10.1 and 11.0. This includes also Jiangmin.

Imo the solutions are only two:

1. Report the false positive on the zip file to Jiangmin (looking online the procedure appears to be send an email with the file to support[at]jiangmin[dot]com^[1]). Keep doing this for every obscure AV that flags a false positive in the future.
2. Close the issues explaining that detection on less than 10% of virusotal vendors with no big AV name (Kaspersky, Microsoft, ecc) is 100% a false positive.

The disclaimer on release 0.11.0 should be removed. @UncleGoogle

[UncleGoogle]

Ok, closing then, thanks for all your reviews!

I'll also lock dependencies and update in separate releases or commimts, so in the future similar cases will be easier to check.