search

kaikramer / keystore-explorer

KeyStore Explorer is a free GUI replacement for the Java command-line utilities keytool and jarsigner.
https://keystore-explorer.org/
GNU General Public License v3.0
1.67k stars 271 forks source link

kse.exe is getting flagged as malware #442

Closed KeithLRobertson closed 1 year ago

KeithLRobertson commented 1 year ago

Please verify, and work with security vendor to remove the flag. https://www.virustotal.com/gui/file/3c382806cc8ac3fbeb5076572c6cac663f86b50b18b14bd7ca28326549d0a462/detection

Sorry for opening as issue. Didn't see any other way to message you to raise awareness.

kaikramer commented 1 year ago

If 70 people, most of them well known and renowned, tell you one thing and one completely unknown person tells you exactly the opposite, who would you believe? One single detection out of 70 means nothing.

Of course I could simply contact the vendor and they would whitelist kse and the Virus Total result would then be completely green. In fact I have done this with exactly this vendor in the past with an older release of KSE before.

There are false positive detections on Virus Total after every new release of KSE. Most of the time only 3-4, but sometimes up to 20. And after every release I am contacting those AV vendors and report the false positives. They then check the KSE binaries in their lab - if they have their own lab - or wait for the results from their source lab. After a few days the issue is normally fixed, the new KSE release is whitelisted and the number of detections on Virus Total drops. Sometimes I have to provide more information or am being redirected to a different contact, sometimes it simply takes a bit longer, sometimes there is no reaction at all, but in the end I can usually bring the number of false positive detections for KSE on Virus Total down to zero. And you cannot imagine how time consuming this is. Worst of all: I have to do this not because of an issue in KSE, but because of an issue in the software of an AV vendor.

A few months after a release often a new detection on Virus Total pops up, but at this point it is simply not relevant anymore.

The current version of kse.exe has been out for around 5 months and has been downloaded almost 200.000 times, It has been analyzed in the labs of every major AV vendor by now. KSE it is mostly used in corporate environments, where normally rather tight security measures are in place - compared to private PCs.

Also, every KSE release is being built by GitHub in their infrastructure from source code that is completely disclosed. Can you even imagine a software where it is harder to hide malware in?

If you care about this one detection, you can report it to the vendor. They have a web form for this purpose: https://www.secureage.com/support/report-false-positive

But this is not an issue of KSE and therefore I am closing this ticket now.

KeithLRobertson commented 1 year ago

Hi Mr. Kramer,

For what little it's worth, I completely agree with you. After I upgraded this excellent tool on my company laptop, kse.exe was flagged by the corporate malware application. I argued with security ops that it was yet another false positive from that application, that they should validate this and allow the application to run. After "careful review", (3 hours later) I received the answer "No" and that I needed to remove it. (The only helpful note was that "the executable is not signed", which leads to the suggestion that signing kse.exe might help.) Of course I have to comply with company policy on the company laptop, so I reported back (with a hint of snark) that I had removed the file and reverted to the prior version which was not invalidly flagged.

I would submit the file as you suggest, but I can't do it from this laptop, as said malware application wouldn't even let me open it. I'll see if I can do it later from my personal laptop.

Once again:

Sorry for opening as issue. Didn't see any other way to message you to raise awareness.

I understand now that you're aware of the broader problem, if not this particular instance of it.

Kind regards, Keith

kaikramer commented 1 year ago

Sorry to hear that. The next release of KSE is not too far away though, updating to that version should work again for you.

Signing kse.exe unfortunately does not help as much as I would like it to do. There will still be false positives, just not as many. Also, code signing certificates are very expensive, especially the "Extended Validation" (EV) certificates. And only companies can purchase EV certificates anyway. Not so great for open source software...

The macOS version of KSE actually is signed, but I can get the code signing certificate from Apple basically for free and the result is the same as if it was an EV certificate. The certificate is useless for Windows, however.

I am considering to sign the exe with a certificate from my own CA. Maybe it helps a bit, maybe not. We will see.

Thanks for your feedback, appreciated.

jpstotz commented 1 year ago

@kaikramer Code signing certificates for open source projects/developers are possible. For example I know that some developers have a code signing certificate from a CA named "Certum", for example the password manager Keepass uses such a certificate. The certificate in this example is issued to Open Source Developer, Dominik Reichl, but of course such certificates are not free. So a donation system or some sort of sponsoring would be required to make it possible for you to get such a certificate.

kaikramer commented 1 year ago

@jpstotz Normal code signing certificates can be purchased by everyone, but not EV code signing certificates. At work we used to sign our applications, but still had a couple of false positives on VirusTotal after every new release. Which is quite logical, because if everyone can buy such a certificate, then also people who write malsoftware can.