[Problem report] Antivirus False Positive

[danielnichols]

System info:

• App version: 1.0.0
• Operating System: Windows 10 21H1 x64

Problem:

My antivirus (Kaspersky Internet Security) detected the app as a virus when I tried to run it. Both the installer and the installed executable pass any sort of scan, and nothing shows up on virus total, but as soon as I run it, my antivirus terminates the process. Kaspersky described it as Trojan.Win32.Generic, and said that it exhibits behaviors consistent with malware. Further, my antivirus software classed it as a high threat level and deleted it immediately. I believe this detection to be a false positive, however I am hesitant to reinstall the program while this issue persists.

Hopefully this issue can be resolved soon, as I am looking forward to checking it out.

Virustotal Installer Virustotal Installed App Executable

[aleksey-hoffman]

Perhaps it's because the app is new and doesn't have a certificate. Not sure what can be done here. I feel like certificates are a waste of money, especially for open-source apps

[danielnichols]

Definitely agree with you there. The whole system can be pretty hostile to new apps that are also free, or apps that have just been updated for that matter. Not really sure what could be done about this either, although as this is an electron app, shouldn't it be possible to rebrand the main electron executable without having to actually rebuild it, therefore preserving its signature? (I understand that this wouldn't work for the installer)

[danielnichols]

Actually I just checked and I don't think the executable is pre-signed, so my suggestion won't work.

[sylveon]

Antiviruses ignore certificates because viruses can ship signed. You triggered some behavior-based detection.

[aleksey-hoffman]

Maybe it's triggered by the auto updater? It periodically checks Github API for new updates

[danielnichols]

Does it immediately check on launch? Because it gets immediately terminated as soon as it runs after installing, and even if I bypass the installer by extracting it manually, it still triggers the AV.

[aleksey-hoffman]

It checks for updates on launch

If you want to check if it's the auto updater that's causing the problem, you can open the app settings file: %appdata%\Sigma file manager\app storage\settings.json (paste it in the default File Explorer URL bar)

And add this line in there at the end:

  "storageData.settings.appUpdates.autoCheck": false

Then save the file and open the app.

[danielnichols]

Just tried that and it still trips the AV.

I've noticed that it also adds a registry entry under HKEY_USERS\(My SID)\Software\Microsoft\Windows\CurrentVersion\Run Does it do this every launch?

[danielnichols]

Ok so I also ran the installer through Kaspersky's Threat Intelligence Portal and it's saying that the file's clean, but it is also listing 16 low-level 'suspicious' activities.

For the installer it's listing:	Severity	Description	Details
100	Sandbox.SuspiciousEvents.Template.set_fake_file_time	The file time attributes have been changed (13 entries)
200	Sandbox.SuspiciousEvents.Template.get_privilege	Executable has obtained the privilege (MITRE T1134.003 Access Token Manipulation)

For Sigma file manager.exe it's listing:	Severity	Description	Details
290	Sandbox.SuspiciousEvents.Template.autorun	The file has been added to run on system start (MITRE T1112 Modify Registry)
290	Sandbox.SuspiciousEvents.Template.inject_self_copy	The process has injected binary code into self copy (MITRE T1055.002 Process Injection)

I don't know if any of these are what's tripping my AV though.

[danielnichols]

After a bit of testing I think it's safe to rule out the updater. I pulled the repo onto my pc to build the application locally, and when I ran it the AV still picked it up, which is good because it means I can modify the app to see if I can find the section causing issues. After confirming this I commented out initAppUpdater() at electronMain.js:593, and after rebuilding the app it still terminated. I should also note that the main window actually does appear for a couple of seconds, but it never gets past the splash screen. Also the settings file has no entries apart from the line I added earlier, so this might provide some clues as to which part of the program is causing issues.