Open venezuela01 opened 1 year ago
Update: Today someone in the Session community complains about anti-virus software reports Oxen as virus.
@KeeJef
Which AV program was reporting and on which Oxen version?
Which AV program was reporting and on which Oxen version?
If you follow the link in the 2nd comment (https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b), you can see the Oxen version "oxen-electron-wallet-1.8.1-win.exe"
The screenshot also states which AV vendor labels Oxen as a virus, let me know if you need more specific information, I don't have first hand information either, it was reported by someone in the Session community without specific AV program name, I tagged @KeeJef in the community but you might missed that.
Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers
Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers
Thank you very much.
If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.
I understand the team is busy and has its priorities. If the team's knowledge can be shared with the community, the community can apply the same knowledge and contribute more when the team is unable to free themselves from multiple tasks.
If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.
I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.
If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.
I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.
Understand, thanks for sharing! I'll wait for a week and follow up next Thursday.
Avast and AVG still report Oxen as a virus:
Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef
I'm yet to receive a reply from Avast unfortunately
I'm yet to receive a reply from Avast unfortunately
Thank you very much. Would you mind sharing a bit more knowledge? The last time you contacted Avast about the false alarm for Android sessions, how long did it take to receive a reply, and how long did it take to resolve the false alarm?
I also sent a false positive report to AVG, and I received an email from support@help.avg.com a few days later. I'll upload update if there is any progress.
Avast and AVG still report Oxen as a virus:
Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef
Still haven't received anything back from them, last time i got a response within a week
I received an update from Avast:
Along with the Avast virus specialist, we’ve checked the reported file and changed the threat detection to PUP (potentially unwanted program). The PUP detection is due to lack of compliance with Avast’s clean software policy.
For more information, refer to this article: Avast Threat Labs - Clean guidelines
If you are the owner of the reported file and want to change the detection to clean, feel free to contact us again for a new analysis as soon as the file matches the Avast guidelines.
Thank you for understanding.
I recheck https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1 and I found both AVG and Avast updates the status to PUP (potentially unwanted program)
@KeeJef
Update: both Avast and AVG has responded again and mark the Oxen wallet as valid:
AVAST
Our virus specialists checked the situation again. Based on the findings, the GUI wallet has no violations, but the installed file in resources has the ability to start mining. Wallet detection will be removed, which will be reflected in Avast apps within 24 hours. The detection for the miner executable is evaluated from our side as valid.
Avg
Along with AVG virus specialists, we've checked the reported file. Based on the findings, the detection was removed - https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1. The file is now marked as clean in the AVG virus database. This change may take up to 24 hours to take full effect. Please accept my apology for the inconvenience caused.
I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors
Ok great!
I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors
For the record, AVG recommends that we follow their guidelines:
https://support.avast.com/en-us/article/threat-lab-clean-guideline/#pc
Perhaps some of these guidelines could also be useful for Session/Lokinet as well.
newvirus @ kaspersky.com
Ticket number [KL-2086153]
Modules oxend.exe and oxen-wallet-rpc.exe are relying on RandomX algorithm. Feel free to remove the code no longer in use and the CryptoMiner classification should disappear on it's own. If it doesn't - you can send us the updated build and we can evaluate it on our side.
samples @ eset.sk
[TRACK#656814FD016B]
our detection is based on recognition of mining capabilities in the sofware. Please take into account that it does not matter whether mining is runnable or not, it is sufficient we can recognise the code for it. If only RandomX code in your software is responsible for mining and it is no longer used, it could be removed. If our detection persists after the removal of the code responsible for mining, it would be a false positive. As long as there are mining capabilities detected, the detection is correct from our point of view.
http://mailcenter.rising.com.cn/filecheck_en
Ticket RS20231208101522055421
support @ sophos.com
Ticket 07127730
Update:
I have contacted about 20 different vendors.
Previously, there were about 23 vendors marking the Oxen installer as not clean; now, there are only 8.
This number goes a bit up and down as sometimes anti virus vendors change their database back and forth.
For the remaining 10 vendors marking Oxen as not clean:
For the child files like oxen.exe and oxen-wallet-rpc.exe, there is still more work to do to convince some vendors to update their database.
The last good news is that I have learned some useful experience in communicating with anti-virus vendors. Hopefully, we won't need that skill in the future, but it would be beneficial if we follow those guidelines in the future for Session releases and Lokinet releases, even if we are going to abandon Oxen. In case there is any unfortunate future false alarm for Session/Lokinet, feel free to subscribe me to a GitHub issue, and I'll be glad to volunteer to contact anti-virus vendors.
Thanks for your work on this @venezuela01 🙏
@KeeJef @jagerman
Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.
@KeeJef @jagerman
Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.
Yes, i believe we tried to remove some of this code from the wallets in a previous release? I think its worth you have a look into @venezuela01
@KeeJef @jagerman Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.
Yes, i believe we tried to remove some of this code from the wallets in a previous release? I think its worth you have a look into @venezuela01
I took a quick look at the code and can confirm that the RandomX code is still present in the current Oxen-core codebase. I believe this is necessary for the testnet/devnet when developers occasionally need to bootstrap the network from scratch again. (That's why I was considering disable them only for release build but keep them for debug build.)
I tried a quick hack to completely remove the RandomX library dependency from Oxen-core. However, several antivirus engines from https://www.virustotal.com/ still report flags such as miner
or cryptonote
. I tried to reverse-engineer their rules by scanning individual libraries rather than the whole binary executable but failed to identify a useful pattern. It seems they use a combination of rules to detect Cryptonote rather than relying on simple characteristics like linker symbols.
Conclusion: I no longer believe there is an easy way to automatically convince antivirus systems to remove the miner
or cryptonote
flags with minimal code changes in Oxen-core. I withdraw my original proposal. I think contacting them manually whenever there's a false alarm (like malware
or virus
) might be an easier approach. (And accept the fact in case they insist on flagging with miner
or cryptonote
)
(However, the clean guidelines for the installers suggested by antivirus vendors are still valid, which is a separate topic.)
Hmmmm okay, thanks for the info, fortunately this should be less of a pressing concern in the future as the Session token migration occurs
There are Windows users reporting that their antivirus software mislabels multiple version of oxend.exe as Trojan/CoinMiner.dr
Antivirus software homepage: https://www.huorong.cn/
I guess oxen-core shares some code with Monero, and Monero was common used for coin miner viruses, as a result, Antivirus software detects similar code fingerprints from oxend.exe and misclassifies it as a coin miner virus.
I'm asking the user to upload oxend.exe to https://www.virustotal.com/gui/home/upload, will update this ticket later.
See also: https://github.com/oxen-io/session-android/issues/1268