Open dfabulich opened 3 years ago
dfabulich
commented
3 years ago See also #8. Without HTTPS I can't tell whether these files were modified in transit or whether the file is corrupted on the server side. The MD5 of my copy of run500.exe is 97108dffcca9f20430ef5bc47cad7418
BoneDoggo
commented
3 years ago Can confirm after trying to reinstall after ui got fucked up, After downloading from the official? website on Firefox (Chrome wouldn't let it through) Windows Defender flagged "Backdoor:Win32/bladabindi!ml" and "Trojan:Win32/Spursint.F!cl"
tajmone
commented
3 years ago These are most likely false positives, and many software developers have complained to MS that Defender is flagging their (legitimate) software as the Win32/Wacatac.D8!ml trojan:
The problem is that most antiviruses now rely on statistics based heuristics, which is why most tools using UPX are being flagged as malicious software (UPX is a legitimate packer used by programmers and hackers alike). The fact is that only products by big companies are being whitelisted and excluded from these type of false positives — apparently, signing software with certificates is no longer a guarantee to prevent false positive warnings.
I've stopped trusting anti-viruses a long time ago, due to the excessive false positives encountered (including my own products). Often it's sufficient to unpack an executable in order to make the antivirus complain about it, but at other times it's not possible due to some libraries being the trigger.
Open source tools are the first victims of these heuristics, because they don't have the means to invest in certificates, keep contacting (over and over) antiviruses support to notify the false positive, and frankly might not even care about it.
Older languages tend to be discriminated more when it comes to false positives, because of some old components they might be using. In these cases, there isn't really much that can be done, especially if dealing with development tools that are no longer being actively maintained. The fact that MS's own antivirus is flagging a product created by a MS development suite says it long about how approximate these heuristics are (but the cause might also be the third party components used by ADRIFT, who knows).
Anyhow, it's a lost battle. Ultimately it's up to us, as end users, to decide which sources we trusts, and whether to put our software in the antivirus exclusion list. In any case, even if you exclude a freshly downloaded tool from the antivirus warnings, it doesn't mean that if it's actually a malicious software the antivirus won't track it any more ... certain malicious run-time actions would still be blocked, if detected.
kpeamon
commented
3 years ago Thanks Tajmone for explaining this. The problem will never go away, but it is my impression, that if ADRIFT-users contact their antivirus-provider each time they get a false positive positive, they will fix that specific false positive. For instance, I have BitDefender and told them about the problem with the newest ADRIFT version and they fixed it, so there are no more problems with that version of ADRIFT. I hope (but I am not sure) if the problem is then solved for all users of that specific BitDefender version. If all ADRIFT users do that, then the most popular antivirus-software companies will avoid that specific false positive.
dfabulich
commented
3 years ago apparently, signing software with certificates is no longer a guarantee to prevent false positive warnings
ADRIFT5 isn’t even signed with a certificate, and isn’t distributed over HTTPS. I think that would be the first thing to do.
(It doesn’t seem likely, though.)
jcwild
commented
3 years ago 
jcwild
commented
3 years ago HTTPS costs money unfortunately. That's difficult to justify when it's just a hobby project.
dfabulich
commented
3 years ago For years, HTTPS used to cost money, but it's free now, thanks to LetsEncrypt. https://letsencrypt.org/
And, yes, I misspoke; Adrift is signed by you, but normally Windows Defender and other antivirus looks for signatures from recognized certificate authorities, and those do cost money, typically from vendors.
I believe the cheapest way to solve this issue completely would be to distribute ADRIFT for free via the Windows Store. You'd need to sign up with a Microsoft developer account, which costs $20 for individuals, as a one-time fee, with no renewal fee.
You would then have to do a bunch of work to get Microsoft to accept your app and allow it on the Windows Store, but once you'd done that work, you'd be assured that Windows Defender wouldn't flag your app as malware.
jcwild
commented
3 years ago Wow, I didn't know that, thanks for the link. I'll try and get that set up when I get some free time. :)
I'll look into the Windows Store submission. I've had that mentioned before and meant to check it out.
My code signing certificate comes from Sectigo, and yes, it did cost a lot, including my having to get a notary vouch for my identity. Was a total pain in the backside to get. It's extremely frustrating if that is all for nothing.
tajmone
commented
3 years ago @kpeamon:
but it is my impression, that if ADRIFT-users contact their antivirus-provider each time they get a false positive positive, they will fix that specific false positive.
I personally don't think that the solution is that users and developers should approach the problem by starting to spend their free time serving corporations for free. Also, there are so many antiviruses out there that it would consume a lot of time. As you can see from the link I pasted, many indy developers are quite angry at having to spend a lot of their time contacting all the different anti-virus software producers, again and again, just because they keep flagging their software every so often. The problem with heuristics, is that they keep coming up with false positive, again and again, even if you manage to fix the problem once (which is why many developers are fed up of this).
The solution would be to stop using cr*ppy antivirus software that indulge in lazy heuristics and, let's admit, thrive on end users believing they were frequently protected by non-existing viruses (false positives, which I estimate amount to 80% of all detected threats, for people who only download legitimate software and from trusted websites).
I'd rather invest my time and money in a free and open source antivirus software (possibly also cross platform), but the reason you don't see such products it's because of the laws who impose the use of certified anti-virus software in businesses. Software certification has become just a business in itself, like a "protection tax" you need to pay in order just no to be squashed by big corporations who can have their antiviruses tag your legitimate products as infected — and the problem is that most customers will probably take for true whatever the antivirus program says, without questioning it.
The whole point about free and open source software should be centered around trust (after all, you can see the source code), without falling in the games of corporations who want to enforce on their approval/certification/whitelisting, etc.
Let's not forget when Windows released to the world a truly infected Windows update, some years ago. It happened because some components are outsourced to external companies, and one of them got infected. But because MS is a big and trusted corporation, these infected updates managed to slip through.
@dfabulich:
You would then have to do a bunch of work to get Microsoft to accept your app and allow it on the Windows Store, but once you'd done that work, you'd be assured that Windows Defender wouldn't flag your app as malware.
but it wouldn't prevent other antiviruses from flagging it as malicious software. The problem is that many people use third party antiviruses, which replace entirely Win Defender.
From my personal experience, I've noticed that some apps I had created in the past were being flagged, and by just recompiling them with an updated version of the language could solve the problem. But applications which depend on old versions of MSVS can't probably solve this except migrating to a newer version (which might involve lots of refactoring).
@jcwild:
My code signing certificate comes from Sectigo, and yes, it did cost a lot, including my having to get a notary vouch for my identity. Was a total pain in the backside to get. It's extremely frustrating if that is all for nothing.
It won't ever be for nothing, for at least the installer will mention that the software is certified and from a trusted source, but it won't prevent antivirus tools from flagging it at download time — which kind of defeats the whole purpose of the certificate.
I believe the most sensible action is to spread the knowledge of how untrustworthy antivirus software is, by providing practical examples of applications that can be downloaded, and which are flagged as "elevate risk trojans", and then provide instructions on how to unpack their binary files via UPX, just to show that after unpacking the antivirus will declare them safe. Once people realize that false positives represent the majority of alerts, and how these falsely increase users' confidence in these tools, providing the illusion of being constantly protected, maybe they will realize that they are being ripped off.
As an example, you can take the free utilities by NirSoft:
these are well known and world-wide trusted tools (most of them standalone) written by a well known programmer with a good reputation. And exactly because they were created by a good programmer, most of them get flagged as trojans, viruses, etc. In almost every case it's because they are UPX compressed, and you can check it out yourself: unpack the executables and they're no longer flagged. Other times good apps are flagged because they contain some assembly code that leverages CPU specific instructions to obtain info about the motherboard (antiviruses don't like smart code which they can't control).
jcwild
commented
3 years ago Ok, well you'll be pleased to know, adrift.co is now https. :)
dfabulich
commented
3 years ago I downloaded https://www.adrift.co/files/ADRIFT5r.zip today and found that it worked without error when I opened it on Windows 10! (Maybe HTTPS did it?)
kpeamon
commented
3 years ago I downloaded https://www.adrift.co/files/ADRIFT5r.zip today and found that it worked without error when I opened it on Windows 10! (Maybe HTTPS did it?)
Great, please spread the word :)
I downloaded http://www.adrift.co/files/ADRIFT5r.zip in Google Chrome, and used it to extract run500.exe. Windows Defender flagged it as malware.
I see that I'm not the first person to report that the runner gets flagged as malware, http://forum.adrift.co/viewtopic.php?f=14&t=12652&p=107579&hilit=malware#p107579 but in this case, I don't think Windows Defender is being excessively cautious… it's identified an actual Trojan that matches this file.
(It complains about ADRIFT5Setup.zip as well.)