Windows Defender Malware?

[GruNostalgia]

Windows 11 Pro 23H2 Here Installed the windows version: tuxguitar-1.6.1-windows-swt-x86_64-installer.exe Defender says it picked up malware for - tuxguitar-synth-vst.exe VirusTotal also gives malware detection

I'm not new to false positives but this seems extreme. Any clarification would be appreciated, thanks!

[guiv42]

This one is unexpected, as far as I know this module has been there for a while. Thanks for raising the issue. It really looks like a false positive.

Now, considering this plugin:

• vst2 has been deprecated for years
• licensing is not so clear (to me at least)
• it complexifies build procedure (e.g. see #310)
• its build procedure is a hack, and explicitly documented as such
• it's already been removed from tuxguitar packages delivered by Linux distros since a long time
• my understanding is that tuxguitar-synth-lv2 provides similar features (not 100% sure though)
• last but not least: I'm not fond of archeology

So, here's my proposal: keep it simple and be efficient, delete tuxguitar-synth-vst

If users complain I would consider to build/deliver it independently, from another repo.

@helge17: what's your opinion?

[helge17]

In fact, Windows Defender classifies this file as "Trojan:Win32/Wacatac.A!ml" and deletes it.

Only the tuxguitar-synth-vst.exe from version 1.6.1 is classified as malware, not the one from version 1.5.6, 1.6.0 or yesterday's build 2024-03-28-master. I have checked the sources of all versions: They are all identical. "My" versions 1.6.0, 1.6.1, 2024-03-28-master were all built on the same Linux system, so I also think this is a false positive.

I have just sent the file to Microsoft for rescanning. As soon as I hear back, I will let you know.

I also think we should soon remove tuxguitar-synth-vst, but that will only "help" future versions. I would prefer to resolve this issue with version 1.6.1, otherwise I am considering removing this version from the releases.

[guiv42]

I would prefer to resolve this issue with version 1.6.1, otherwise I am considering removing this version from the releases

OK, clear. In case it cannot be solved and 1.6.1 must be removed, we might as well create a new branch from 1.6.1, remove vst and create a new release from there (whatever we name it, 1.6.2 or 1.6.1.1 or ...). In other words: I don't think current code base is ready for a 1.6.2.

[helge17]

Currently, tuxguitar-synth-vst.exe is still classified as malware by Windows Defender. According to common/TuxGuitar-lib/src/org/herac/tuxguitar/util/TGVersion.java, the TuxGuitar version number is limited to three digits, so that the "intermediate version" without vst probably has to be version 1.6.2 and master will become version 1.6.3.

Although I still assume that the alarm is a false-positive, I deleted the Windows version from the 1.6.1 release and left a corresponding note in the release description. I will provide the 1.6.2 packages without vst as soon as possible.

[guiv42]

OK, thanks. Just a suggestion: if 1.6.2 is equivalent to [1.6.1 without vst], why not deliver 1.6.2 only for Windows? Just to avoid confusion for users of other platforms, where the update has no added value. It's up to you.

[helge17]

I played around a bit with the TuxGuitar VST plugin and took a look at the code: I don't fully understand how it works, but it opens network sockets, connects to network ports (only on 127.0.0.1?) and loads external DLLs (using Wine on Linux), the "VST plugins" you find on the internet. I suspect these features are why it is classified as malware: It simply does things that also Trojans may do. So the tuxguitar-synth-vst.exe is not infected with any malware, but behaves a bit like a Trojan itself. This is simply how the plugin works.

Just a suggestion: if 1.6.2 is equivalent to [1.6.1 without vst], why not deliver 1.6.2 only for Windows?

I'm not sure whether this would lead to confusion among users: We would then have 1.6.1 for all operating systems except Windows and 1.6.2 only for Windows. And since the VST plugin behaves the same under Windows and Linux, I would also treat all operating systems the same. So I would suggest the following:

• Keep 1.6.0 as it is
• Remove all binary versions of 1.6.1 and keep it as source-only, with some explanations.
• Publish release 1.6.2, equivalent to 1.6.1 but without VST
• Update master to 1.6.3

[guiv42]

Thanks for taking the time to perform this analysis. What remains unclear to me is why vst plugin is identified as malware only in TG 1.6.1. But anyway, that's the way it is...

As you wish for 1.6.2, I really don't know what's best. It's OK for me if you do it like that.

[helge17]

What remains unclear to me is why vst plugin is identified as malware only in TG 1.6.1.

The ml in "Trojan:Win32/Wacatac.A!ml" probably stands for "machine learning". So the malware detection is based on some AI magic that is not 100% reproducible. Maybe 1.6.1 triggers some more alarms and therefore exceeds certain limits, I don't know.

1.6.2 is now released without the VST plugin, 1.6.1 is source-only.

[helge17]

Now that the VST plugin has been removed from TuxGuitar, can we close this issue?

[guiv42]

can we close this issue?

Yes I think so