tobya / DocTo

Simple command line utility for converting .doc & .xls files to any supported format such as Text, RTF, CSV or PDF
http://tobya.github.io/DocTo
MIT License
450 stars 53 forks source link

version 1.9 marked as virus #211

Closed Darthmineboy closed 9 months ago

Darthmineboy commented 1 year ago

Describe the bug Version 1.9 is flagged as virus by microsoft defender and many other vendors https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070

Where as version 1.8 is only flagged by 4 insignificant vendors https://www.virustotal.com/gui/file/039be27cc016cc23069f233d96920e530498bbc72b79e0c1ac979d56a9f59cf5

To Reproduce Download version 1.9 docto.exe

github-actions[bot] commented 1 year ago

Thank You for the Issue. I will try to get to look at it as soon as I can.

linusgke commented 1 year ago

I got the same problem! Microsoft Defender constantly flags "docto.exe" as Adware (Adware:Win32/DealPly!MSR) and deletes the file, which causes automatic jobs to silently fail...

tobya commented 1 year ago

Thanks, I'm unsure how to fix this issue.

Adware is a new one, I'm unsure why it would show as adware. Can you add an exception in your microsoft defender setttings?

tobya commented 1 year ago

Apparently it can be submitted as false positive to help with avoiding this.

https://www.microsoft.com/en-us/wdsi/filesubmission

I will do this, but if anyone else on this thread was willing to do it also it would be very helpful.

linusgke commented 1 year ago

Did this right away! Interestingly the status of the submission is now "Rejected" (after only ten minutes or so) - haven't got any emails about it yet. Keeping you updated!

tobya commented 1 year ago

It's kind of wild.

Is it possible that something is creating another version of the file?

My executable definetly isn't doing all these things. It says it's contacting 9 ip addresses ? I don't know how that is possible from the code!

tobya commented 1 year ago

Maybe I should check what has changed between 1.8 and 1.9

tobya commented 1 year ago

There seem to be a huge amount of heuristics

I'll try to remove urls (mostly in comments) from code and resources to see if that improves it

linusgke commented 1 year ago

Where is the information with the 9 contacted ip addresses from? That sounds very wild.

tobya commented 1 year ago

If you look at this link posted above

https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070

linusgke commented 1 year ago

Ah, I see. From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts?

quartzjer commented 1 year ago

Both Windows Defender and Malwarebytes are flagging 1.9 and 1.10 as Wacatac.B!ml or Neshta.Virus.FileInfector.DDS.

1.8 seems fine.

auxym commented 10 months ago

Also getting flagged by Trellix on my PC, unfortunately.

tali-vitali commented 10 months ago

Same here, windows just delete exe(without warning or any message) after interaction from user with it(execution, help, etc). 1.8 works fine

Flekon commented 10 months ago

This problem occurred when running the program on the second PC, while on the first PC (Windows 10 pro 21H2 19044.1586) version 1.9 runs without problems.

sergyby commented 9 months ago

in my case exe can be stored in directory without problem, but when I run "docto --help" this show no info in console(mb new line symbol), then in 3-5 seconds windows/defender delete exe file from disk. Windows 10 pro 22H2 19045.3803(Windows Feature Experience Pack 1000.19053.1000.0), docto v1.9

tobya commented 9 months ago

I have just released v1.11

I have make a few small changes to see if I can avoid it being marked as a virus, but probably they will have no effect. I'm closing this for now.

tali-vitali commented 9 months ago

works for me! thanks, @tobya!

tobya commented 9 months ago

works for me! thanks, @tobya!

Has it stopped marking it as a virus for v1.11?

tali-vitali commented 9 months ago

works for me! thanks, @tobya!

Has it stopped marking it as a virus for v1.11?

Windows has stopped delete exe file after interaction with it(docto --help for example). Yes, new 1.11 version. I don't know mark it or not as virus.

tobya commented 9 months ago

@digitalcoyote if you had a moment to push 1.11 https://github.com/tobya/DocTo/releases/tag/v1.11 to chocolately that would be great. The 2 files are docto_32.zip and docto_64.zip both containing just the docto.exe file

Hopefully this will have some effect on the false positives.

digitalcoyote commented 9 months ago

I think it should be set to check for a new release every 12 hours. I'll double check that it is and update here when it's through Chocolatey moderation.

digitalcoyote commented 9 months ago

AU picked up the release, it passed verification and is waiting on the virus scan.

tobya commented 9 months ago

This is more like it

https://www.virustotal.com/gui/file/55feb423f7bb78dafdaab9bc327b2361716bb8be0da6bcad1cf6ee65c2e53b0f/detection/f-55feb423f7bb78dafdaab9bc327b2361716bb8be0da6bcad1cf6ee65c2e53b0f-1707497173

image

tobya commented 9 months ago

Lessons Learnt.

Dont use the word macro in your code!

hi-ko commented 9 months ago

unfortunately the issue now affects all latest versions incl. v1.12 s. https://www.virustotal.com/gui/file/7800b453aa6467e33334a4abee5402038eefe5c902ded4dcd2e075c9285fd9a9/detection

hi-ko commented 9 months ago

Hi @tobya, please reopen this issue since it seems to be a real issue. To exclude any side effect I downloaded v1.12 from a fresh vanilla ubtunu container and directly uploaded the file to virustotal. https://www.virustotal.com/gui/file/ee5627de949ff6e1454e7c77f33bc94f71e0a6dd997344ff990b91c7f4b5ab2f/behavior

The exe opens connections to IPs, which are known to do bad things like brute force or portscans. So I would argure even these IPs are in the MS IP range they could be a non trustable customer Azure instance. The release executables should be seen as potentially infected.

tobya commented 9 months ago

ok. thanks.

tobya commented 9 months ago

I will see if I can build on a new machine.

If concerned you can use an earlier version or build from source.

hi-ko commented 9 months ago

Thanks - what would I need to build that from source? Unfortunately my pascal knowledge is from pre windows century 😉 Would be nice to have a brief description how to build and what is needed.

tobya commented 9 months ago

@hi-ko

It builds very easily in any version of Delphi from 7 onwards. I'm fairly sure you could build it with the free community edition of Delphi that you can download from the Embarcadero website.

https://www.embarcadero.com/products/delphi/starter?utm_source=Google&utm_medium=PPC&utm_campaign=&utm_content=&utm_term=delphi%20community%20edition&gad_source=1&gclid=CjwKCAiAibeuBhAAEiwAiXBoJHjQ9xVwsZtpfv5TKQi91i7NNMunSl8jA0clCjsVD6eB2yfXJj61ORoCJ6AQAvD_BwE

I'll try to put up a note on the readme on how to build.

hi-ko commented 9 months ago

thank you @tobya, I'll try that and if there is more how to - even better.

Just realized: embarcadero removed the download for unknown reason ...

tobya commented 9 months ago

Version 1.12

I build this on a blank machine docto_64.zip

Seems to be better

https://www.virustotal.com/gui/file/a4684ab182a2e03814cbb5cfe32f91f4322575d922e8826c0d2132987f58f0bf/details

If you have any other scanner please run it through it. @hi-ko

tobya commented 9 months ago

I have released v1.14 which is the same as 1.12 but built on a clean machine.

hi-ko commented 9 months ago

Thanks for your effort, but I think your assumption was too fast:

if you open your link now, it is marked as malicious. Maybe the tests had not been completed when you checked that report - especially the sandbox tests done show network activity to ips which should not been seen as trustworthy. Question is: what is calling home and where this is coming from ... grafik

The behavior is at least not what someone would expect from a simple cli tool not having a use case to talk to the internet and 3 of the IPs are reported for portscans.

linusgke commented 9 months ago

Since there's a lot of trouble around those ominous addresses, I'm once again stating my above-mentioned theory:

“From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts?”

EDIT: Checking the latest “docto.exe” with hybrid-analysis.com gives the following results: https://www.hybrid-analysis.com/sample/4d42b9eea689ec508c295552b4985afb8e29772638888affda4291da2c7175e2/65ce6eeb72c8be5ae2050d12

hi-ko commented 9 months ago

Indeed, when checking 7z.exe not the same but similar IPs are contacted. The "suspicious" classification is related to the capabilities to modify the user profile, log keyboard strokes and read/modify clipboard. It is possible that the app is classified as malicious because of these far-reaching abilities. I don't know what I can do with this knowledge ...

tobya commented 9 months ago

Thank you both. I think this continues to be a false positive. Which makes me feel better as I don't then have a malware injecting virus on my home machine.

This software does (obviously) connect via com to Word and office, mentions macros in the exe, but this is what it is supposed to do.

I wonder is it simply that the nature of what it does means it rings a lot of bells for scanners.

Hopefully it will still install for some people

hi-ko commented 9 months ago

Some success: MS seems to no longer handle docto as malware. I submitted a false positive case and they agreed to review the files. Today MS Defender did not complain any more downloading and executing v1.14.!

ep_setup.exeSubmission ID: 4d65d6be-a818-4b45-a82d-* Status: CompletedSubmitted by: ** Submitted: Feb 22, 2024 00:56:25 User Opinion: Incorrect detection

Analyst comments:

We have reviewed the files and added malware detections for them to the next definition update. The latest definition information is available here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

Thank you for contacting Microsoft.

cachius commented 3 months ago

Version 1.15 64bit from May 12, 2024 on VirusTotal:

12/75 security vendors flagged this file as malicious

I wanted to try docto but this scares me.

hi-ko commented 3 months ago

same here. we don't use it and were not able to setup a working build from source. The issue may be the Delphi environment using methods and granting permissions which are seen as malicious when compiling. Maybe it's the way how it is implemented in pascal granting too much permissions. The logic should be reimplemented in rust or c# following best practices.

digitalcoyote commented 3 months ago

12/75 is a lower metric from Virus Total. I know that for a while a lot of apps built with GoLang were hitting the same numbers due to some heuristics with go libraries that were also frequently found in malware (but were themselves innocuous).

That said, if it's a sensitive environment (handling PII/ HIPPA/ financial data or has access to other restricted environments/data) it's always better to err on the side of caution.

tobya commented 3 months ago

@hi-ko I'm interested in what difficulties you had building from source, it should be very straight forward.

It is unfortunate that it is flagged as Malware but unfortunately I dont have the time to track it down. All I can say is that the source is here on github showing its not malicious.

I'm glad its useful to some.