Closed AJtriple closed 5 years ago
Also have this issue. As posted in Issue#33 https://github.com/gibaBR/Switch-Backup-Manager/issues/33#issuecomment-424632880
This is still an issue, it may be a false positive, but the number of AV that are detecting it is only growing - last I was able to check was somewhere around 8-12 vendors. I can't even unzip the file to upload to virustotal.com anymore, even when I disable all user facing AV controls. I'm not going to try and bypass it further via safe mode. If you could investigate ways to mitigate this, or clear it altogether that would be appreciated.
The virus detected is also different, now gen:Variant.Razy.394367
Edit: Just in case it wasn't clear, Switch Backup Manager is now completely unusable on my system, despite setting up a number of exclusions and turning off all user facing AV.
I can assure you this is false positive
Last night I spent few hours deleting potentially suspicious code without success. Even after I removed all logics in the code and end up with only 2 files remain (Form.cs
and Program.cs
, with only empty constructors and nothing else), virustotal.com still yield detection by 8 or 9 AV which is impossible
But I did find something interesting
I did try renaming some of the class name and method (FrmMain
to FormMain
and InitializeComponents
to Init
) and surprisingly it came up as clean
So I'm guessing that there are some malwares out there sharing the same traits and these AV mistakenly treat any app with these signatures as malware
the official 1.1.8 binary is clean https://www.virustotal.com/#/file/609c17856e8a8336d699f0f2fe29492b2416b0b478eadd5c52bea10a28d6dc89/detection
the binary compiled from 1.1.7 source code is now clean https://www.virustotal.com/#/file/bc1fd287f1e171ca991d4be9028ed1a74e4d329e395d7cc863cfe0b2d0c5cd9a/detection (link to the binary) but the binary I made last night using the same base code still marked as malware https://www.virustotal.com/#/file/147e5232a8489287ef2f62efd5587208d2f0b249170d3e6ed8d8aadba27a0b8c/detection (sorry, didn't made the backup of the exe), although it decreased from 8 to only 2
the official 1.1.7 was detected by 8 or 9 AV last night, and now it's down to only 5. the other ones marked it as clean https://www.virustotal.com/#/file/774dee40ac45d612c4b8ed00ebd7a7bdced4ae7f8f8f152c24339eda76c3bc22/detection
I seriously think the issue is with virustotal.com or those AV now
Either way, the effort you've made to alleviate any worries regarding this are reassuring.
Oh I believe you about it being a false positive, I've just never had my AV (Bitdefender) lock down a file to that degree before. I appreciate the effort you went through to figure out the cause of this, too. Thank you garoxas!
you're welcome although ideally we find the actual root cause on which part of code that being flagged as malicious and find an alternative solution, since getting this report every few weeks are getting old 😄
I think you found it when you renamed the class/method names, it was probably hitting a signature as you said. Is 1.1.8 using the renamed classes or has it just fixed itself for now?
1.1.8 was released before I submitted all the changes to Giba (the author of this project) so no renaming was done. that's why I said the issue is with virustotal.com and its AV
This would seem to remain an issue as I try to download 'FortiusANT.exe' with Bitdefender AV
Several antivirus software claim the software is infected by Gen:Variant.Razy.394367 trojan. Can you please reassure it's a false-positive?