search

fuhsjr00 / bug.n

Tiling Window Manager for Windows
GNU General Public License v3.0
3.35k stars 212 forks source link

antivirus detecting the file as supecious #185

Closed eyadsibai closed 2 months ago

eyadsibai commented 6 years ago

if u check ur bug.n.exe file it is detected as a malicious file check virustotal.com

joten commented 6 years ago

Yes, indeed. I copied the results as of 2018-07-12 below together with those for the 32-bit-unicode version of AutoHotkey from https://autohotkey.com/download/.

I can imagine, that there are some script kiddies writing malware with AutoHotkey; compiling it to an executable results in a file, which incorporates the script files and the AutoHotkey executable, which are unpacked to RAM, when running the compiled script's executable. Therefor the binary shares a lot of bytes with other compiled AutoHotkey scripts.

Of course, bug,n does use the keyboard hook, which comes with AutoHotkey to allow keyboard shortcuts, and it does do some DLL calls, including a shellhook to register newly created and destroyed windows; that could be seen as malicious.

The good thing though regarding open source is, that you may review the code and recompile the executable. It should result in the same file with the same SHA fingerprint. There is a build script in the tools directory; I do use mpress and the 32-bit-unicode version of the AutHotkey executable to compile bug.n.

SHA256: c1b5d8ead0184afd8c28f7716468f5dd84d869d039bd87c37227d873d957c44f File name: bugn.exe

Antivirus Result Update
Bkav W32.eHeur.Virus02 20180619
CMC Virus.Win32.Sality!O 20180619
Cylance Unsafe 20180619
Sophos ML heuristic 20180601
McAfee Artemis!A6B95AEA5D0F 20180619
McAfee-GW-Edition BehavesLike.Win32.SoftPulse.fc 20180619

... and reanalysed with a detaection rate of 7 out of 67 (with 60 virus scanners not detecting it as malicious):

Antivirus Result Update
Bkav W32.eHeur.Virus02 20180712
CMC Virus.Win32.Sality!O 20180712
Cylance Unsafe 20180712
Sophos ML heuristic 20180601
Jiangmin RiskTool.BitMiner.udv 20180712
McAfee-GW-Edition BehavesLike.Win32.PWSZbot.fc 20180712
TrendMicro-HouseCall Suspicious_GEN.F47V0619 20180712

SHA256: 18cfbbe2eb182b94eb499837f57c70989c3c80343c99575d577b440f76cefb59 File name: AutoHotkey

Antivirus Result Update
Bkav W32.eHeur.Malware12 20180706
Jiangmin Trojan.Generic.bxwmv 20180710
TrendMicro-HouseCall Suspicious_GEN.F47V0604 20180710
eyadsibai commented 6 years ago

I understand, but this preventing me from using it on my daily workstation unfortunately

mzomparelli commented 6 years ago

I have previously confirmed that VirusTotal won't trigger for keyboard or mouse hooks. This means that keyloggers may never be reported as a threat.

I suspect it is like you say and is the result of being a compiled AHK. Some bad actors (script kiddies) probably have done as you describe and now all AHK compilations may be reported as a threat. I think it's a combination of the shell hook and being an AHK compilation.

Good work on the project. Maybe at some point you can move it away from AHK.

mrchief commented 6 years ago

You can also reach out to major vendors and get yourself whitelisted.

robcsi commented 5 years ago

I also get the McAfee/Artemis!8263B9CEA245 virus report, when unziping the latest (9.0.2) version zip file. Interestingly enough the bugn.exe isn't in the directory McAfee reports it is...

Should I just delete the exe file and run the ahk file instead?