Virustotal scan for MilkDrop 3.exe turns up 4 matches

[creesch]

https://www.virustotal.com/gui/file/3245f4f91dcd079afa66ec704984142fca889eef63334c0d72196a1c856c9aa3/detection

[dethzord]

Dollars to doughnuts, it's due to the packer used. Getting false positives was a fairly common thing with demos for a good while due to that reason. Also explains the extremely low count (less than 7%).

Or maybe he's a master h4x0r who has cracked into a gibson.

[creesch]

Dollars to doughnuts, it's due to the packer used. Getting false positives was a fairly common thing with demos for a good while due to that reason. Also explains the extremely low count (less than 7%).

This is with the unpacked executable, not the installer. It likely is false positives, figured I'd raise the issue here anyway.

[dethzord]

You misunderstand what a packer is. Not a compressed (eg. zip, rar, 7zip, etc), but a packed executable. Here, skim the info at this link:

https://resources.infosecinstitute.com/topic/top-13-popular-packers-used-in-malware/

Lots of AV software will yell about packers. Packers themselves are not bad. It's much like bittorrent. Bittorrent is just a method of transferring files; it is often associated with software piracy because it is used extensively by that community. but in itself, it has nothing to do with piracy.

Note, I'm just speculating as to the cause, but even if not the correct reason, I'm certain it's not an issue. Aside from the very low count showing detection, I've also already been using it. :)

[creesch]

Ah fair enough. I'll await an official response but a false positive seems likely.

Although I have to point out your last reason is more or less wishful thinking ;)

[milkdrop2077]

Virus total is a dumb website with a lot of shady based antivirus, and 4/64 is considered a good score. I already responded to false positive concern here : https://github.com/milkdrop2077/MilkDrop3/issues/7 Just by changing the icon, I can get more false positive with cheap antivirus software.

MilkDrop3 doesn't require administrator rights, does not connect to the internet, and does not read or write any file outside the MilkDrop3 folder. That mean it's a really safe program. I does not get flagged by any good antivirus software (Eset, windows defender, Kapersky etc...) You guys can have fun analyzing and recompiling the source and checking the false positive result.

[SNOmad1]

Just wanted to update as Windows Defender now deleted this .exe for the first time last night, unfortunately. Has anyone else experienced this... Trojan:Win32/Bearfoos.B!ml

[dethzord]

Nope. And I just ran windows update to verify latest definitions, and immediately scanned the whole MD3 directory. No issue.

[milkdrop2077]

@SNOmad1 what exe? the installer or MilkDrop? what's your windows version and are you using chrome?

[milkdrop2077]

the MilkDrop exe has now only 2 false positive: https://www.virustotal.com/gui/file/f88e1de2e3d12efa4f49d1b06d83a8a367e86486acfcdf1c9f3521c1740dcb1c just because I signed the exe with a Digital Certificate using DigiCertUti (this is pretty dumb but hey I have 2 less false positive).

But I also signed the installer exe with this same Digital Certificate, because why not, and I went from 0 to 1 false positive : https://www.virustotal.com/gui/file/c2a2f7a6b1bd2b5513a308c05762137914d3e1a237845d76b25a10e1df08a03b

[SNOmad1]

@milkdrop2077 1) Yes it says affected items \MilkDrop2077\MilkDrop 3.exe Detected Trojan:Win32/Bearfoos.B!ml so the exe, not the installer. 2) Microsoft Windows 10 Pro Version 10.0.19045 Build 19045 3) Yes I run chrome, firefox, brave, opera and edge as browsers for different tasks.

[milkdrop2077]

@SNOmad1 can you try the original exe without the digital certificate : https://mega.nz/file/cNNk3TwI#Kp5YCQ5hDGsCOVJcLI5guKf-9xaeKR0IZhsdeyXhzLU thanks!

[SNOmad1]

@milkdrop2077 Absolutely. Yes, trying it now.

[milkdrop2077]

@SNOmad1 Let me know!

[SNOmad1]

@milkdrop2077 Excellent news, It is now passing the windows security quick scans and am running a full scan now.

It also passed the full scan : )

[milkdrop2077]

Ok thanks @SNOmad1, I've re-uploaded the version without the digital certificate. It's weird because no one complained.

[SNOmad1]

Thank you! I agree it is strange as I have been running it since release without issue and then 3am last night, it was just gone and marked with a severe threat alert when I followed up to investigate.

[OfficialIncubo]

I used your non-digital certificate executable file in VirusTotal and still detected 4 antivirus apps ._.

Idk if I have another plan to get rid of false positives!

EDIT: Forgot to share this link: https://www.virustotal.com/gui/file/c9afe176b5cdbc51ceaa19a65c9e33fc1db7b72428fea7e12bbbbc233f2df75c

[dethzord]

Use my plan:

Ignore them.

VirusTotal has it's uses, but as mentioned before in the thread, not all of the scanners used are particularly reputable. I've personally never heard if any of the four flagging above (and many of the others), but all the ones that I am familiar with show clean. If the only four alerting were say, ClamAV, McAfee, TrendMicro, and Kaspersky, I might be concerned.

So some paranoid people will refrain from using Milkdrop3. Shrug. I feel like most people who are likely to be interested in MD3 will understand how to identify false positives from VirusTotal. I would rather see time invested working on functionality, features and bugs, than on making a few random unknown virus scanners happy when there's no good reason for them to be angry in the first place. :)

[milkdrop2077]

Exactly, people shouldn't care about Virustotal, like wtf is Rising antivirus? a cheap Chinese knockoff software.