Is this malicious?

[brsgaming804]

Both browser and antivirus flagged this as malware.

[br45entei]

I've been using it for a month or so and nothing has happened, and I never got any malware warnings from it, so I'm not sure why that's started up now.

[kamronbatman]

Read the source code, and if you TLDR, no.

[LightVR0]

Trojan detected with 360 antivirus. re-write the code, please!

[kamronbatman]

@LightVR0, all unsigned .NET programs that access filesystem or internet will flag as malicious. There is no rewrite possible.

[Nightwing13666]

How can I stop my browser from blocking it from being downloaded?

[kamronbatman]

You can't. You have to go to the downloads section and click keep file.

[rzippo]

@LightVR0, all unsigned .NET programs that access filesystem or internet will flag as malicious. There is no rewrite possible.

This is simply false.

I downloaded and compiled the source and that seems fine, no malware detected. But that doesn't mean the binary released is safe, as it could be compiled from other, malicious source.

I would not trust to execute the binary, unless directly compiled from source.

[kamronbatman]

@rzippo, you obviously don't understand how antivirus heuristics and .Net Software works. If you compiled the app and threw it on some random website then downloaded it, you would get the same false positive.

This happens because the app accesses the hard drive (with no safe guards) directly through a built in C# library. That library is causing the false positive when the file does not originate from the computer it's on. Signing the binary would make the false positive go away.

With that said you are right to not trust anything. Also if there was a virus, I am pretty sure the release would be pulled and/or this repo would be deleted.

Also our other app, PKHex also gets flagged as a virus for the same reason even when it comes from our official teamcity build. So you are definitely full of shit in this case. As a matter of fact I'll call bullshit outright. You find me evidence from the release of exactly what the virus is, whether it is malicious code, bad third party library etc, and then I'll believe you and I'll have suloku pull the release.

[rzippo]

@kamronbatman while I appreciate the attempts at explaining, please reconsider your attitude with passages as "So you are definitely full of shit in this case".

Here are analysis made on the software in the release Mystery Gift Tool 0.1d.exe Gen3 Event Tool 0.1d.exe

The second one, if you look in the community comments, rises an interesting question: why is a open source software compiled with obfuscation? What code is it hiding?

[rzippo]

Here is instead the result on my own compilation from master. Being the same code, with the same behavior and same lack of signature, it should have the same detection ratio. But it doesn't.

[kamronbatman]

So is it malicious?... Probably not. The obfuscation is because the release that was uploaded predates the repo itself. Stupid mistake but it happens. Is the obfuscation causing the false positives, maybe. Does that make it malicious?

So instead of asking @Suloku to rerelease (for an old tool that not many use), you assert that it is malicious. Find out of it is a virus and let me know. The virus total are basic MSIL heuristic flags. None of those are accurate. Quite possibly could be from obfuscation. Find out definitively if it's a virus. Be helpful instead of accusatory.

[kamronbatman]

I contacted Suloku on projectpokemon.org to recompile and rerelease without obfuscation. If he is around and cares then he will do it.

[rzippo]

So is it malicious?... Probably not.

See the issue here is that somehow you're convinced that if there is no proof of being malware, we should totally trust it and run it against all security software's advice. Your trust model is upside down.

Worse, you're suggesting potentially clueless users to execute it anyway, which is a terrible habit to spread. Even if there is nothing but good faith, why do you ask nothing but trust from the users and how is it of any help to them? Why was your answer the only one here, while there is no clear indication on who you are and how are you affiliated with the publisher?

So instead of asking @suloku to rerelease (for a tool nobody cares about), you assert that it is malicious. Find out of it is a virus and let me know, or go away.

I'm not asserting that it is malicious. I'm asserting that security software detects it as malicious and that is in fact a problem you can't just ignore, and nobody should blindly trust and execute software in this state.

That a recompile and rerelease is a potential solution is suggested by the very first result I posted, until which your solution was "there is no rewrite possible".

[kamronbatman]

A recompile because of obfuscation and a rewrite are two separate things. I also know that people were getting virus warnings 2 years ago even with no obfuscation.

Regardless, if suloku doesn't rerelease then I'll fork and release from projectpokemon's GitHub and then update our downloads/forum links. If there are still virus warnings then oh well. Someone can rewrite it if they think that will fix it and make a PR to the new repo.

[kamronbatman]

@rzippo, I created a new repo and released an updated version directly from the source: https://github.com/projectpokemon/Gen3-WCTool/releases/tag/v0.1f Here is the virus total for the recompile (no functional code changes): https://www.virustotal.com/#/file/c89ffb9b367423cbc16dab933a7f81091ab329b73e2205a04dc1c9b4309981ab/detection

EDIT: I have updated the forum post links here I have updated the official download here