HFS2 triggering a lot of false positives on VirusTotal

[greatwolf]

A recent scan is triggering 16 different AV: https://www.virustotal.com/gui/file/42d14f9efe83cd9d695d0796232bd6e12d276c1262b6cf39d31cfcf64e128f11/detection

Can anything be done about this?

[rejetto]

It seems that HFS has been used as tool inside malicious activities, so several AV are considering it a possible clue of such activity. They don't know/care that YOU downloaded it for YOUR purpose.

I guess that one possible thing to do is that people report it as a false risk.

btw, did you consider HFS3 ?

[greatwolf]

yea I'm currently trying HFS3 out too. I just don't like how much bigger it is compared to HFS2 because of the used of node.js

[rejetto]

I see. Just for sake of information, the server itself is 2.5 MB, of which more than half (1.5 MB) is the administration gui, the rest is node.

[Ptit-Philou]

I suggest to stop using HFS 2, as it can be easily hacked and you might loose your data and computer... I reported an issue, as my server has been attacked : I was lucky not to loose files and control. Just stop using HFS 2 : HFS 3 works fine, heaven if node.js is fat... :-)

[DRSDavidSoft]

@Ptit-Philou Same, I was lucky I didn't loose any files! Russian m****rs installed Keyloggers and RATs through HFS on two of my servers that were running HFS2. This could have ended much, much worse due to the fact that by default Windows Server comes with the Administrator account. I should have created a lower privilege account for HFS. Lesson learned the hard way! 😄

[DRSDavidSoft]

It appears the installed malware were a variety of these:

• https://threatcop.com/blog/smugx-phishing-campaign/
• https://blog.polyswarm.io/luca-stealer

We're VERY lucky that the files weren't affected or damaged! Hopefully (at least as it appears) the hackers only resorted to install the RAT and these stealers on the server. We should ALL nuke the affected Windows machines and re-install everything from scratch. Backup everything.

[Ptit-Philou]

Not sure about Russia : it could come from Asia too... ;-)

[DRSDavidSoft]

I saw Chinese IPs in logs as well, but the successful infection is/was communicating with Russian-based web hosting. The attackers themselves might reside in other Cyrillic-speaking countries. In my experience, Chinese hackers usually use outdated/well-known attack vectors but Russian ones use bleeding edge exploits. 🤷🏻 Ah well, doesn't really matter where it came from, the important thing is that we were lucky that the files weren't damaged. We can always change leaked/compromised security keys and APIs later.