version 1.9 marked as virus

[Darthmineboy]

Describe the bug Version 1.9 is flagged as virus by microsoft defender and many other vendors https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070

Where as version 1.8 is only flagged by 4 insignificant vendors https://www.virustotal.com/gui/file/039be27cc016cc23069f233d96920e530498bbc72b79e0c1ac979d56a9f59cf5

To Reproduce Download version 1.9 docto.exe

[github-actions[bot]]

Thank You for the Issue. I will try to get to look at it as soon as I can.

[linusgke]

I got the same problem! Microsoft Defender constantly flags "docto.exe" as Adware (Adware:Win32/DealPly!MSR) and deletes the file, which causes automatic jobs to silently fail...

[tobya]

Thanks, I'm unsure how to fix this issue.

Adware is a new one, I'm unsure why it would show as adware. Can you add an exception in your microsoft defender setttings?

[tobya]

Apparently it can be submitted as false positive to help with avoiding this.

https://www.microsoft.com/en-us/wdsi/filesubmission

I will do this, but if anyone else on this thread was willing to do it also it would be very helpful.

[linusgke]

Did this right away! Interestingly the status of the submission is now "Rejected" (after only ten minutes or so) - haven't got any emails about it yet. Keeping you updated!

[tobya]

It's kind of wild.

Is it possible that something is creating another version of the file?

My executable definetly isn't doing all these things. It says it's contacting 9 ip addresses ? I don't know how that is possible from the code!

[tobya]

Maybe I should check what has changed between 1.8 and 1.9

[tobya]

There seem to be a huge amount of heuristics

I'll try to remove urls (mostly in comments) from code and resources to see if that improves it

[linusgke]

Where is the information with the 9 contacted ip addresses from? That sounds very wild.

[tobya]

If you look at this link posted above

https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070

[linusgke]

Ah, I see. From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts?

[quartzjer]

Both Windows Defender and Malwarebytes are flagging 1.9 and 1.10 as Wacatac.B!ml or Neshta.Virus.FileInfector.DDS.

1.8 seems fine.

[auxym]

Also getting flagged by Trellix on my PC, unfortunately.

[tali-vitali]

Same here, windows just delete exe(without warning or any message) after interaction from user with it(execution, help, etc). 1.8 works fine

[Flekon]

This problem occurred when running the program on the second PC, while on the first PC (Windows 10 pro 21H2 19044.1586) version 1.9 runs without problems.

[sergyby]

in my case exe can be stored in directory without problem, but when I run "docto --help" this show no info in console(mb new line symbol), then in 3-5 seconds windows/defender delete exe file from disk. Windows 10 pro 22H2 19045.3803(Windows Feature Experience Pack 1000.19053.1000.0), docto v1.9

[tobya]

I have just released v1.11

I have make a few small changes to see if I can avoid it being marked as a virus, but probably they will have no effect. I'm closing this for now.

[tali-vitali]

works for me! thanks, @tobya!

[tobya]

works for me! thanks, @tobya!

Has it stopped marking it as a virus for v1.11?

[tali-vitali]

works for me! thanks, @tobya!

Has it stopped marking it as a virus for v1.11?

Windows has stopped delete exe file after interaction with it(docto --help for example). Yes, new 1.11 version. I don't know mark it or not as virus.

[tobya]

@digitalcoyote if you had a moment to push 1.11 https://github.com/tobya/DocTo/releases/tag/v1.11 to chocolately that would be great. The 2 files are docto_32.zip and docto_64.zip both containing just the docto.exe file

Hopefully this will have some effect on the false positives.

[digitalcoyote]

I think it should be set to check for a new release every 12 hours. I'll double check that it is and update here when it's through Chocolatey moderation.

[digitalcoyote]

AU picked up the release, it passed verification and is waiting on the virus scan.

[tobya]

This is more like it

https://www.virustotal.com/gui/file/55feb423f7bb78dafdaab9bc327b2361716bb8be0da6bcad1cf6ee65c2e53b0f/detection/f-55feb423f7bb78dafdaab9bc327b2361716bb8be0da6bcad1cf6ee65c2e53b0f-1707497173

[tobya]

Lessons Learnt.

Dont use the word macro in your code!

[hi-ko]

unfortunately the issue now affects all latest versions incl. v1.12 s. https://www.virustotal.com/gui/file/7800b453aa6467e33334a4abee5402038eefe5c902ded4dcd2e075c9285fd9a9/detection

[hi-ko]

Hi @tobya, please reopen this issue since it seems to be a real issue. To exclude any side effect I downloaded v1.12 from a fresh vanilla ubtunu container and directly uploaded the file to virustotal. https://www.virustotal.com/gui/file/ee5627de949ff6e1454e7c77f33bc94f71e0a6dd997344ff990b91c7f4b5ab2f/behavior

The exe opens connections to IPs, which are known to do bad things like brute force or portscans. So I would argure even these IPs are in the MS IP range they could be a non trustable customer Azure instance. The release executables should be seen as potentially infected.

[tobya]

ok. thanks.

[tobya]

I will see if I can build on a new machine.

If concerned you can use an earlier version or build from source.

[hi-ko]

Thanks - what would I need to build that from source? Unfortunately my pascal knowledge is from pre windows century 😉 Would be nice to have a brief description how to build and what is needed.

[tobya]

@hi-ko

It builds very easily in any version of Delphi from 7 onwards. I'm fairly sure you could build it with the free community edition of Delphi that you can download from the Embarcadero website.

https://www.embarcadero.com/products/delphi/starter?utm_source=Google&utm_medium=PPC&utm_campaign=&utm_content=&utm_term=delphi%20community%20edition&gad_source=1&gclid=CjwKCAiAibeuBhAAEiwAiXBoJHjQ9xVwsZtpfv5TKQi91i7NNMunSl8jA0clCjsVD6eB2yfXJj61ORoCJ6AQAvD_BwE

I'll try to put up a note on the readme on how to build.

[hi-ko]

thank you @tobya, I'll try that and if there is more how to - even better.

Just realized: embarcadero removed the download for unknown reason ...

[tobya]

Version 1.12

I build this on a blank machine docto_64.zip

Seems to be better

https://www.virustotal.com/gui/file/a4684ab182a2e03814cbb5cfe32f91f4322575d922e8826c0d2132987f58f0bf/details

If you have any other scanner please run it through it. @hi-ko

[tobya]

I have released v1.14 which is the same as 1.12 but built on a clean machine.

[hi-ko]

Thanks for your effort, but I think your assumption was too fast:

if you open your link now, it is marked as malicious. Maybe the tests had not been completed when you checked that report - especially the sandbox tests done show network activity to ips which should not been seen as trustworthy. Question is: what is calling home and where this is coming from ...

The behavior is at least not what someone would expect from a simple cli tool not having a use case to talk to the internet and 3 of the IPs are reported for portscans.

[linusgke]

Since there's a lot of trouble around those ominous addresses, I'm once again stating my above-mentioned theory:

“From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts?”

EDIT: Checking the latest “docto.exe” with hybrid-analysis.com gives the following results: https://www.hybrid-analysis.com/sample/4d42b9eea689ec508c295552b4985afb8e29772638888affda4291da2c7175e2/65ce6eeb72c8be5ae2050d12

[hi-ko]

Indeed, when checking 7z.exe not the same but similar IPs are contacted. The "suspicious" classification is related to the capabilities to modify the user profile, log keyboard strokes and read/modify clipboard. It is possible that the app is classified as malicious because of these far-reaching abilities. I don't know what I can do with this knowledge ...

[tobya]

Thank you both. I think this continues to be a false positive. Which makes me feel better as I don't then have a malware injecting virus on my home machine.

This software does (obviously) connect via com to Word and office, mentions macros in the exe, but this is what it is supposed to do.

I wonder is it simply that the nature of what it does means it rings a lot of bells for scanners.

Hopefully it will still install for some people

[hi-ko]

Some success: MS seems to no longer handle docto as malware. I submitted a false positive case and they agreed to review the files. Today MS Defender did not complain any more downloading and executing v1.14.!

ep_setup.exeSubmission ID: 4d65d6be-a818-4b45-a82d-* Status: CompletedSubmitted by: ** Submitted: Feb 22, 2024 00:56:25 User Opinion: Incorrect detection

Analyst comments:

We have reviewed the files and added malware detections for them to the next definition update. The latest definition information is available here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

Thank you for contacting Microsoft.

[cachius]

Version 1.15 64bit from May 12, 2024 on VirusTotal:

12/75 security vendors flagged this file as malicious

I wanted to try docto but this scares me.

[hi-ko]

same here. we don't use it and were not able to setup a working build from source. The issue may be the Delphi environment using methods and granting permissions which are seen as malicious when compiling. Maybe it's the way how it is implemented in pascal granting too much permissions. The logic should be reimplemented in rust or c# following best practices.

[digitalcoyote]

12/75 is a lower metric from Virus Total. I know that for a while a lot of apps built with GoLang were hitting the same numbers due to some heuristics with go libraries that were also frequently found in malware (but were themselves innocuous).

That said, if it's a sensitive environment (handling PII/ HIPPA/ financial data or has access to other restricted environments/data) it's always better to err on the side of caution.

[tobya]

@hi-ko I'm interested in what difficulties you had building from source, it should be very straight forward.

It is unfortunate that it is flagged as Malware but unfortunately I dont have the time to track it down. All I can say is that the source is here on github showing its not malicious.

I'm glad its useful to some.