virustotal: 15/65 security vendors flagged this file as malicious

[andry81]

CAPTCHA

• [X] I understand I could be banned from the repository if I misusing issue section not for posting bugs, but for question or 'broken website' report. / Я понимаю, что меня могут заблокировать в репозитории, если я буду использовать раздел issue не для сообщений об ошибках, а для вопросов или сообщении о «неработающем веб-сайте».

Operating system / операционная система

Windows 8.1

Running as service / Запуск программы как сервис

I run it as a regular program / Запускаю программу обычным образом

Describe the bug / Опишите ошибку программы

goodbyedpi-0.2.3rc3-2.zip

https://www.virustotal.com/gui/file/37f96b32d050dadcc930a639eba68e1ccd57ed5c04a5f77dfca908f01905a4c5

pretty many a malware detections

Additional information / Дополнительная информация

No response

[serpen7]

Kaspersky Not-a-virus:HEUR:RiskTool.Multi.WinDivert.gen

All the rest are heuristics that write that the behavior of the filter to intercept and modify traffic is similar to a trojan, which is logical enough, but they cannot recognize it by signature, that's why they write generic, agent, suspicious, malicious, riskware. Viruses are also programs, but not everything that is a virus is good. I would say that helpful viruses are a minority. Cracks on games also flags as hacktools or trojans. But people have been playing them for years. It all depends on the people who make and utilize them. Antiviruses are like viruses too, because they use the same virus mechanics, only at the system level worldwide at once and are recognized as safe because they do PC protection. It's up to you to believe or not the windivert. You can always write your own network filter with driver, which will also flag all kinds of heuristics because it interferes with your traffic modifying it according to your settings.

Scans of virustotal of all exe and dll with sys files from x86 and x64 folders https://www.virustotal.com/gui/file/e69b5ba3f0cd6cfb2983e442636e7f0b342b61b15264b0328317d4559c82cf50 https://www.virustotal.com/gui/file/a53ef28f8baca3d256a271aa0a39f02378fad4fedcfbf9b7257f51ff2c174044 https://www.virustotal.com/gui/file/e69b5ba3f0cd6cfb2983e442636e7f0b342b61b15264b0328317d4559c82cf50 https://www.virustotal.com/gui/file/88099bc85a0f09aa1ab72eb586494b85e7708fbbbea15c1626240013097063f5 https://www.virustotal.com/gui/file/625ffdd95bfabff32d0e8a95beabcd303c01c8bba73b90402d4e84d6e15dd8e5 https://www.virustotal.com/gui/file/29ca5ceb59c9c6993a349e82b1fd46078e6f8a302764153ab84fa22e382fcdca https://www.virustotal.com/gui/file/e69b5ba3f0cd6cfb2983e442636e7f0b342b61b15264b0328317d4559c82cf50

Bytsadmin is just bat script that is updating list of host and redoing it. So it definitely downloads list to you. Obviously.

Just ensure you are downloading from this repository, and not from unknown to whom and from where of the internet. Cause there are many fakes that is masked true viruses, cause many peoples are starting to use this. Original repository and download of goodbyedpi is: https://github.com/ValdikSS/GoodbyeDPI/releases

[SUGHuser]

Right , so and so it should be , because windivert modifed TCP packages for bypass DPI , simply ignore this and use GoodbyeDPI if you this need ) or if you can no ignore this , not use GoodbyeDPI and be have problems from DPI servies your provider

[ValdikSS]

You need to report the issue to antivirus vendors, not here, if you're using one of the products and is affected by it.

[andry81]

https://tip.neiki.dev/file/37f96b32d050dadcc930a639eba68e1ccd57ed5c04a5f77dfca908f01905a4c5

[andry81]

It's up to you to believe or not the windivert. You can always write your own network filter with driver, which will also flag all kinds of heuristics because it interferes with your traffic modifying it according to your settings.

@serpen7 The question is not in the false positive detection itself. More interesting why it did notable increase:

goodbyedpi-0.2.3rc2.zip https://www.virustotal.com/gui/file/f081740ce7d0fef4d8e7988347697b37943c3cb14cfcc0a32d22328752d0fef0 3/66 security vendors flagged this file as malicious

[serpen7]

@serpen7 The question is not in the false positive detection itself. More interesting why it did notable increase:

cause it's heuristics and windivert can

capture network packets filter/drop network packets sniff network packets (re)inject network packets modify network packets

that is basically auto flagging for it to be "trojan" at the point of it possibilities. Especially if it falls in wrong hands and you will download it from unknown who and unknown where of the internet where it can become real trojan.

Heuristics are on high alarm for whole package zip of program cause it's packed. You can unpack it and check DLLs, Syss and Exes by yourself on virustotal, there would be much less of detection.

[andry81]

cause it's heuristics and windivert can

But it existed before the report detection increase, what is changed then?

[serpen7]

cause it's heuristics and windivert can

But it existed before the report detection increase, what is changed then?

because people scan it and heuristics are changing score of their detections based on their signatures, behavior, connection to other signature or similarities, popularity of malware that is using this or similar container to be hidden within fake versions of this program, because of MANY things. That's how heuristics works. But they do not provide exact verdict of what file is if there is no signature and write things like "malware", "suspicious", "generic", "agent" and etc. They are especially triggered if the sus file they flagging in the archive container.

And Kaspersky which is antivirus with AI machine learning and cloud analytics, it's own lab for analysis - writes signature of that is not virus, but a risk tool if it will fall in wrong hands like virus makers who can turn it to real virus, and spread fake versions for their bad deeds. Cause they clearly analyzed file\archive\container and gave him their "threat" signature based on their analysis of container or files in container.

Every person on the planet who owns a computer, in one way or another has “viruses” on their computer in one form or another, it's just that these “viruses” are considered safe and are excluded from databases as viruses. These viruses can be found in every place where anything intervenes in processes, injects itself, intercepts traffic, modifies it, protects you and your computer, protects games from cheaters, cheats from the cheaters themselves, interferes with system settings and so on and so forth, the list can go on for a very long time. So not everything that is program which behaves like virus is indeed a virus. Code and purpose of it defines what it will do, harm or help to others.