VirusTotal for v.3.8.3 a bit too many positives

[th3m]

Version 3.8.3 is getting a "15/75 security vendors flagged this file as malicious"

https://www.virustotal.com/gui/file/134c36f0aa54691dd9a4b0e2b9bf784186fab90394f720aa05d504330d156cac

Comparing to 3.8.1 and 3.8.2, for example, which both are getting only 2/75 (obviously false positives) https://www.virustotal.com/gui/file/db6c4d0c0228c5b06c081b9cc363cb0ab1524f8ce65ac5c9a28418b138910074 https://www.virustotal.com/gui/file/1b823fd110fd766dd0b0d9858a9850ef883c86d3a4f20dcf7ac4eba7c088ebdc

Is this normal?

[henrypp]

it ALWAYS decide as malicious unsigned binaries, logic 1 sort

[th3m]

Sure but previous versions are also unsigned and don't have some many false positives.

v3.8.3 has now 18/75. Even Microsoft flags it now. There should be something in the code that triggers them.

[henrypp]

you can recompile and result with the SAME SHA256 hashes, but use 26100.1 sdk and vs 2022 17.10.5, linker has /BREPRO which makes exactly the same executable...

[henrypp]

and IDGAF what malicious in installer?

[th3m]

and IDGAF what malicious in installer?

yeah only the installer has the problem simplewall.exe is fine https://www.virustotal.com/gui/file/4eb079570dd2f60f252417152e7a91decbbb00b070c1c8832e187356f6b5fda9

[tnodir]

it ALWAYS decide as malicious unsigned binaries

I signed "simplewall-3.8.3-setup.exe" with my open source Certum certificate to verify this claim: https://www.virustotal.com/gui/file/9252a0e40404ecb60b0e6a690bcf0960e1e05874e8f2f0b6eefbfd8e125dcc25

[henrypp]

@tnodir

aga, installer are very harmful, lol!

[tnodir]

aga, installer are very harmful, lol!

Maybe these lines are suspicious:

    DeleteRegValue HKCU "Software\Microsoft\Windows\CurrentVersion\Run" "${APP_NAME}"
    DeleteRegValue HKLM "Software\Microsoft\Windows\CurrentVersion\Run" "${APP_NAME}"

    ; Remove "skipuac" entry
    nsExec::Exec 'schtasks /delete /f /tn "${APP_NAME_SHORT}Task"'

    ; Remove "skipuac" entry (deprecated)
    nsExec::Exec 'schtasks /delete /f /tn "${APP_NAME_SHORT}SkipUac"'

Try to move them to .exe -uninstall.

[andry81]

aga, installer are very harmful, lol!

It depends on NSIS compiler and applied plugins. May be something of these has contained "harmful" code.

[henrypp]

@andry81 it build on vanilla NSIS installer compiler

[henrypp]

@tnodir

DeleteRegValue removes bullshit from registry which can left, only maybe nsExec::Exec

Try to move them to .exe -uninstall.

not all apps run as admin!

[henrypp]

@tnodir забавно, но инсталер 3.8.4 задетектило только 2 каких то ноунейма (было 18), при том что я абсолютно ничего не менял в инсталяторе, тебе не смешно?