What's up with the Virus Total analysis?

[a-raccoon]

Your build does a crap ton of concerning stuff that the original project doesn't do. You wrote: It contains minimal fixes to make it work with LiveJournal servers in 2022.

Processes Terminated
%windir%\System32\svchost.exe -k WerSvcGroup 
wmiadap.exe /F /T /R
Processes Tree
 2176 - %windir%\System32\svchost.exe -k WerSvcGroup
 2896 - wmiadap.exe /F /T /R
 2940 - %windir%\system32\wbem\wmiprvse.exe
 2596 - %SAMPLEPATH%

Virus Total rates both of your builds as dangerous. "Behaves like Obfus Ransomware."

[sharpden]

https://www.virustotal.com/gui/file/d256333559108ba67dbd275cf68eb7cd5e7818b0d45b038eb90d5287acf75afe/detection

"no sandboxes flagged this file as malicious"

WER, wmiadap and wmiprvse are standard Windows services.

Yes, 7 AV products including Sophos marks installer as malicious, and I don't know why. Feel free to build from sources and check your build. PRs that decrease VirusTotal suspiciousness are also welcome.

[a-raccoon]

I'm just trying to understand the sheer extent of changes between the original binary and your "minor revision" that's causing such a major change in malware detection. A few lines of code doesn't normally cause this great of a shift.

Can you paste those few lines of code that you changed, below?

[sharpden]

https://github.com/sharpden/ljarchive/compare/259753fd846e664935e5fbaed1287a8bfe4a47d3...93243e57d9cb94202d4f16970423d572b0b9926b

I have changed .NET from 2.0 to 4.0 for TLS 1.2 support, so the binary have changed significantly.

[etfb]

I was also suspicious of this version, so I downloaded a Windows virtual machine and installed it there. The good news is: it doesn't seem that Citizen Sharpden is a Russian mafioso trying to make a fortune by infecting Livejournal users with ransomware. The bad news is that, like the original version, this program still doesn't work. It claims to be "downloading sync index" and just sits there forever, counting steadily up into the hundreds of thousands despite allegedly only aiming for 5374. I think it was never tested on a blog as large as mine (at least one entry every day for nearly ten years by the time I stopped using LJ and went to Dreamwidth). I plan to leave the VM running, but I don't expect any results. Pity.

[sharpden]

Two last version were made by other users bugreports. It is not about size of blog, it is about anomalies in IDs sent by server, for example if many comments were removed then server can send empty response causing ljArchive logic to fail to update download status and to go infinite loop. Your description looks like the same problem but with GetEvents in Sync.cs. Sadly there is no straigth way to debug it without access to such blog.

Could you please try to run ljArchive under debugger and tell if my assumption is correct, so I can fix by similar code as in ExportCommentsBody? New ticket will be fine.

[etfb]

I'm giving it a try. I had to retarget to .NET 4.8 because VS 2022 won't use anything as ancient (!) as .NET 4.0, but once I did that it built and ran as expected. It's slow of course, running inside a virtual machine, but I can live with that. I'll let you know how I go and if I can find out what's misbehaving.