Trojans reported in LameXP-RC11.2021-07-26.Release-Static.Build-2317 and LameXP-RC5.2021-04-22.Release-Static.Build-2305

[highqualitymusic]

Kaspersky and some others report

• Trojan.Win32.Injuke.esnd in LameXP of LameXP-RC5.2021-04-22.Release-Static.Build-2305 and • Trojan.Win32.Generic (heuristic) in LameXP-RC11.2021-07-26.Release-Static.Build-2317 in detail: lxp_curl.exe and lxp_verify.exe which are put into TEMP-Folder when starting LameXP.exe by its DebugConsole in CMD Window.

The original verify.exe and the curl.exe are free of viruses, I checked them by virustotal.

exe and zip file were downloaded from the link you recommended https://sourceforge.net/projects/lamexp/files/Snapshots%20%28BETA%29/2021-07-26/

To get rid of annoying and "YOU MUST UPDATE ME" I tried these Beta versions.

:-/

Kaspersky AntiVirus (actual signature data base) reports: Typ: Trojan Name: Trojan.Win32.Injuke.esnd Genauigkeit: Genau Bedrohungsstufe: Hoch Objekttyp: Datei Objektname: LameXP.exe Objektpfad: C:\Program Files (x86)\LameXP SHA256: F0B052E06BB4B139712C08B5B63E382AD24180D854BE8B0CEB641A920BF8EEEC MD5: A1DE7D58430D1231D1B803D902016006

Name: HEUR:Trojan.Win32.Generic Genauigkeit: Teilweise Bedrohungsstufe: Hoch Objekttyp: Datei Objektname: lxp_curl.exe Objektpfad: R:\TEMP\2083483c74bb12c4 MD5: D8BF68E5EE7B3EF5AA19BA943C5C55FC

Name: HEUR:Trojan.Win32.Generic Genauigkeit: Teilweise Bedrohungsstufe: Hoch Objekttyp: Datei Objektname: lxp_verify.exe Objektpfad: R:\TEMP\2083483c74bb12c4 MD5: 1CD79727442DF5A01967EB872C21551B

I could not check this by virustotal since the TEMP folder is occupied and acces denied for regular admin and I would need to access/copy these files out of this folder with system or root rights which I do not dare.

[lordmulder]

👉 http://lamexp.sourceforge.net/doc/Manual.html#anti-virus-notes

Especially note section "Reporting False Positives" in order to understand to whom you need to report this kind of problem.

And please do not cross-post. It is sufficient to bring up each issue once 😏

---

HEUR:Trojan.Win32.Generic

Please let me translate this for you:

• "HEUR" → heuristic → not an actual (verified) malware detection, actually nothing but an "educated guess"
• "Generic" → This is an euphemism for "some software that is unknown to us, but that seems kind of suspicious – because, unlike Micro$oft Office, we haven't seen this particular file on at least 1 million different computers"

Conclusion: If you see labels like "Heur(istic)" or "Generic", you can almost certainly ignore the alleged "detection" :bulb:

---

The original verify.exe and the curl.exe are free of viruses, I checked them by virustotal.

There is no such thing as "original" versions of verify.exe or curl.exe, other than the ones that ship with LameXP! That is because CodeSign (verify.exe) was created by me, from the scratch. It is my own creation. And it is free/libre software, so see the Git repository for details! Furthermore, cURL is free/libre software as well! So any build of cURL is as legitimate or "original" as any other! This, of course, applies to my build of cURL as well. Note that my personal build process for cURL is fully documented here.

When it comes to free/libre software, please get rid of the idea that there is only one "original" binary 😄

Regards.

[highqualitymusic]

Thank you for your detailled infomation! :smiley: :+1: What about the Trojan.Win32.Injuke.esnd ?

I think, my cross posting is useful to inform other users who switch to the Beta for the same reason like me or for different ones. False positive alerts are alerts nonetheless, they will happen to other users and will be quite unsettling for them. This will make them avoid beta versions and make them more likely to stick with an old / outdated version. That's exactly what you don't want, isn't it?! It is not easy for the common user to check out and upload these files to virustotal since access is blocked.

[lordmulder]

What about the Trojan.Win32.Injuke.esnd ?

I have no idea. It's just an arbitrary code-name the "anti-virus" vendor has assigned to one of the many thousands of "threats" they have in their database. And only they could tell why this specific one happens to mistakenly match to my software. Provided that they would care to figure out – which, of course, they don't.

Unless the false positive effects a software that has a huge user base which they can't ignore, they will do exactly that: ignore it!

False positive alerts are alerts nonetheless, they will happen to other users and will be quite unsettling for them.

It will only be unsettling for those users who haven't yet understood that the business model of so-called "anti-virus" software is based on fear and misinformation. About 99.9% of all "alerts" you will ever get from your "anti-virus" software are false positives.

At the same time, the threats that you really should be worried about are those that exploit new vulnerabilities in your operating system or in you web-browser – for which no patch is available yet. Or those threats that get onto your system camouflaged as "system updates", because the software vendor had their update servers hacked once again (yes, Kaseya, I'm talking about you).

No "anti-virus" software in the world will protect you against those kind of threats 😨

This will make them avoid beta versions and make them more likely to stick with an old / outdated version.

The chance of seeing false positives is not any bigger (or smaller) in "beta" versions than in "stable" versions. In theory, a "stable" version should be deployed on more machines and thus should have a higher chance of ending up on the anti-virus' whitelist. But, in reality, a "hobby" software project like this is way too "insignificant" that any anti-virus vendor would bother... 😩

It is not easy for the common user to check out and upload these files to virustotal since access is blocked.

Even though the user interface of most "ant-virus" software is a bloated mess, there usually is an option to "unblock" files that have been blocked (or to restore them from "quarantine"). And there also is an option to add those files to the whitelist, so that they won't be blocked again. Sometimes you'll even be able to "send in" files directly from "quarantine" – whatever that means.