AV False Positives (Malware, Riskware, Adware, Virus, Trojan and other BS)

[neoOpus]

After reinstalling Windows and configuring Bluetooth, MS Defender removed it after identifying it as malware (I didn't have time to add it to a whitelist)

Please figure out why it's happening and get it signed now. Even if it's free, some people might not like using it because it might scare them or be taken off their computers.

[neoOpus]

I am unable to download it unless, of course, if I disable MS Defender

[aloneguid]

I can't afford a signing certificate so it's not going to happen. You are free to validate it's not dangerous as source code and build pipelines are completely open and transparent.

[corvus2606]

I can't afford a signing certificate so it's not going to happen. You are free to validate it's not dangerous as source code and build pipelines are completely open and transparent.

What is the cost of a signing certificate?

[aloneguid]

It's about $1.5k for 3 years. Could be less if you shop around. But that won't solve false AV issues, you can still be banned and certificate revoked for no reason. I think realistically one needs a legal team to deal with AV false claims which I apparently don't have. I'd recommend having a read:

• https://weblog.west-wind.com/posts/2016/Oct/05/Dealing-with-AntiVirus-False-Positives
• https://www.autohotkey.com/boards/viewtopic.php?t=87322
• https://steamcommunity.com/app/779590/discussions/0/2572002906839928114/
• https://help.steampowered.com/en/faqs/view/5F3D-1477-AFF9-C4F3
• https://www.linkedin.com/pulse/kaspersky-reasons-false-positives-amirabbas-mahdavi
• https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard
• https://medium.com/@airflow.matt/globalsign-will-revoke-your-codesign-certificate-no-questions-asked-f6ac2bca02c5

And by the way, the last BT version (3.5.0) has only a single AV's claim out of 90, unlike 29 out of 90 for version 3.4.0, so it's totally random trash. I've myself became very pessimistic about usefulness of AV software in general after dealing with this.

[paz]

Kaspersky and Sophos both left BT undetected for me, seems it might be a Microsoft specific issue.

[aloneguid]

it's totally random and changes daily ;)

[GavinFarrington]

Windows Defender (Win 11) just flagged bt-3.5.2 as "threats found" for me.

Detected: Program:Win32/Wacapew.C!ml

[jnv]

Same thing here, BT 3.5.2 was flagged by Microsoft Defender as PUA. It's possible to send files to Microsoft for further analysis: https://www.microsoft.com/en-us/wdsi/filesubmission/ – I urge you to do it if you are affected.

[aloneguid]

Same thing here, BT 3.5.2 was flagged by Microsoft Defender as PUA. It's possible to send files to Microsoft for further analysis: https://www.microsoft.com/en-us/wdsi/filesubmission/ – I urge you to do it if you are affected.

I have used this before, and just submitting for latest version as "incorrectly identified as malware". Will let you know on progress:

[aloneguid]

Analysis on above is still pending but some detections have already cleared out.

[neoOpus]

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

[CityguyUSA]

There are 2 different .zip files. A pdb version which downloads fine and non-pdb version that doesn't. What's the difference between the 2?

[aloneguid]

There are 2 different .zip files. A pdb version which downloads fine and non-pdb version that doesn't. What's the difference between the 2?

.pdb version is debug symbols to investigate crashes, you don't need that.

[aloneguid]

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

You can permanently allow the "threat" until MS investigates. There are instructions available here.

[aloneguid]

Windows Defender should now be fine, just got analysis results from Microsoft:

[aloneguid]

Also VirusTotal before and after (Microsoft AV is OK now). Hopefully others will follow the suit.

[neoOpus]

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

You can permanently allow the "threat" until MS investigates. There are instructions available here.

I have been doing that since the start, but it doesn't stick. That's why I notified you that currently it is allowed and working properly, but it crashes when trying to find updates... I am simply informing you of this, but it is alright if you are unable to resolve these.

[aloneguid]

@neoOpus thanks. Update checks are already fixed and will be out in v3.6. Defender does not block it anymore.

[jnv]

By the way, I reported the false positive to Avast (which also includes AVG), so VT now reports only 11 false positives.

According to their reply, they reclassified BT from malware to PUA, since apparently it doesn't match their "clean software policy" (which, surprisingly, claims signing is preferred but not required):

Thank you for contacting Avast and reporting a false positive detection. We're happy to help.

Along with the Avast virus specialist, we’ve checked the reported file and changed the threat detection to PUP (potentially unwanted program). The PUP detection is due to lack of compliance with Avast’s clean software policy.

For more information, refer to this article: Avast Threat Labs - Clean guidelines

If you are the owner of the reported file and want to change the detection to clean, feel free to contact us again for a new analysis as soon as the file matches the Avast guidelines.

[aloneguid]

@jnv thanks for that, I also raised request with ESET which has reclassified as clean.

[aloneguid]

@jnv I have raised Avast issue separately yesterday, and classification is cleared completely.

[aloneguid]

Also submitted a dispute to McAfee now.

[aloneguid]

And just for fun to Malwarebytes.

[neoOpus]

So far, it worked and I didn't have any issue :)

[jnv]

Unfortunately we're back to 24 false positives for the v3.6.2 installer. Today even Microsoft Defender took down my locally compiled version.

[aloneguid]

Microsoft seems to be happy, but others are not. It will help in long term to vote on VirusTotal community webpage: https://www.virustotal.com/gui/file/7273f03b70a07ab0e1cf96aa4702587ea850b72efbdeef4690bf44bb3edd295b/community

[aloneguid]

AVG and Avast were great help in whitelistimg 3.6.2, we are -2 now.

[cheTesta]

Unfortunately we're back to 18/64

[aloneguid]

14/61 today!

[cheTesta]

18 on the .zip version

[aloneguid]

Down to 11 today:

[aloneguid]

18 on the .zip version

Down to 15 today. ZIP is catching up, as I'm submitting false positives for MSI only, which contains the same binary as zip.

[aloneguid]

10 today.

[Ultrafeel]

https://www.virustotal.com/gui/file/9a6a86a90c1c68423465a4b800f4f2941a92e1f82ed9ea0f4dfb58a641932cef/details

[eiqnepm]

It seems Microsoft doesn't like the latest version as it has been automatically removed from my PC by Windows Defender.

[aloneguid]

Same here, looks like Microsoft needs a ticket for every new version to allowlist it again.

[aloneguid]

Also this is odd, because VirusTotal only reports 4 hits from "bad" AVs

[Ultrafeel]

I think if it was in Dotnet or other IL language it wouldn't have so many troubles. Because it is much easier to analyze than pure x86 instruction set.

[aloneguid]

Yeah, but it would be also super slow and at least x100 bigger in size of downloads and ram.

[mahoromax]

It seems Microsoft doesn't like the latest version as it has been automatically removed from my PC by Windows Defender.

Not only the latest, also 1 or 2 previous - it broke, I installed newer one (deactivated the antivir) but at some point it reactivated... It actually breaks opening links if BT is set as default handle for hyperlinks. Typical Microsoft -.-

Can we whitelist it manually? Or do we need to do that for every version as well?

Edit: Going into the defender history and reverting + adding a manual entry for C:\Program Files\Browser Tamer\bt.exe seems to work - for now. No resetting of default browser or anything needed.

[Ultrafeel]

Yeah, but it would be also super slow and at least x100 bigger in size of downloads and ram.

Is https://github.com/mortenn/BrowserPicker , for example, slow and bloated for you?

[Ultrafeel]

From what I understand from this talk about Windows - BlueHat IL 2023 - David Weston - Default Security https://www.youtube.com/watch?v=8T6ClX-y2AE : maybe turning in UWP and converting msi to MSIX can make help against AV 🤓. One of the issues was mentioned is "over privileged apps".