activitywatch icon indicating copy to clipboard operation
activitywatch copied to clipboard

Published 20 hours ago verified publisher icon ActivityWatch

Submit false positives to antivirus vendors

Open az0 opened this issue 6 years ago • 26 comments

I saw in past issues (e.g., #140 ) that people reported that the software is flagged by antivirus software, and that this is reasonable estimate based on the heuristic of a keylogger.

The latest Windows zip is flagged by 9 scanners.

Would you please consider contacting the vendors to whitelist it? There is a contact list on techsupportalert and another list is available if you email VirusTotal.

az0 avatar Mar 21 '18 15:03 az0

I don't think this needs to be done by the maintainers ourselves, so please feel free to do so on your own! :slightly_smiling_face:

ErikBjare avatar Mar 27 '18 12:03 ErikBjare

Positive vote to send : activitywatch-v0.7.1-windows-x86_64.zip aw-server.exe aw-qt.exe aw-watcher-window.exe aw-watcher-afk.exe

1000i100 avatar Apr 09 '18 10:04 1000i100

Well this is annoying :-) - it's happening on the 0.8.3 version, and so can't install the latest version of AW at work...

image

image

pcuci avatar Nov 18 '19 19:11 pcuci

@pcuci Please submit a false positive to Microsoft about that, we can't do anything else about it than that as Windows doesn't provide any safe APIs for us to use.

johan-bjareholt avatar Nov 18 '19 19:11 johan-bjareholt

For what it's worth, the admin team at work managed to add an exception, then asked me to execute the following steps to clear the antivirus cache and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to C:\Program Files\Windows Defender
  2. Run MpCmdRun.exe -removedefinitions -dynamicsignatures
  3. Run MpCmdRun.exe -SignatureUpdate

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions. I don't know if these new malware definitions later go upstream to Microsoft, it may very well be the case, or not.

Hope this encourages others to negotiate with their IT/network/security teams :-)

pcuci avatar Nov 20 '19 18:11 pcuci

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions.

The only annoying thing is that if you ever update ActivityWatch you will likely have to go through the same procedure again.

johan-bjareholt avatar Nov 21 '19 07:11 johan-bjareholt

A more long-term solution might be to code-sign the releases (#666), or simply put it up on the Windows store.

ErikBjare avatar Nov 21 '19 08:11 ErikBjare

I am not able to run release 0.8.4 on my office pc McAffee Endpoint Security is declaring ActivityWatch as Ransomware and blocking processes and partially deleting files (aw-watcher-afk.exe)

Found several entries in eventlog from McAffee, including details, what he thinks is evil, but as the log are in german, I dont know if posting them here makes sense.

wasinix avatar Jan 02 '20 17:01 wasinix

Apparently AlternativeTo now shows a malware warning for ActivityWatch (reported in #493). Not sure what we can do about that.

However, someone dropped this link on the AlternativeTo page which gives a lot of nice details about why it's considered suspicious: https://www.hybrid-analysis.com/sample/beb047cb7583df66301493c613afe0d7bf6c62b5445eb38797b6fcf38d239afe/5e7cd780c49eaf4be46cde62

But alas, it only confirms what we already knew: it's all guesswork.

Edit: I've submitted the false positives to AVG and AegisLab (as per this VirusTotal report). We'll see if that does anything.

Edit 2: According to that hybrid-analysis report, apparently the presence of @julian's email is considered suspicious, lol.

Edit 3: I emailed AlternativeTo, we'll see what they reply.

ErikBjare avatar Oct 04 '20 15:10 ErikBjare

Suspicious indeed.

Julian avatar Oct 04 '20 15:10 Julian

AlternativeTo replied to my email and have removed the warning. Thanks @timharek for reporting!

ErikBjare avatar Oct 05 '20 09:10 ErikBjare

I scanned all the files on VirusTotal and then reported false positives to anti-virus vendors for several months. As a result, most vendors have responded and fixed the issues, but some just haven't answered. The results can be viewed here: GitHub Gist - activitywatch_virustotal and backup link (although I haven't updated them for the last few weeks).

I tried to contact vendors using information from this repository (I also updated some data in it myself).

I also tried to solve the problem through VirusTotal support, but they helped at first, and then they began to ignore my requests.

But you can also try to contact them, perhaps due to the large number of complaints, they will still correct false positives.

rakleed avatar Jul 27 '21 09:07 rakleed

Hello I was using version v0.10 and tried to update to v0.11 and I get the following in firefox: image

nck974 avatar Aug 12 '21 12:08 nck974

image https://virusscan.jotti.org/en-US/filescanjob/clmvm45bbb

But still banned in Firefox and Chrome.

Based on https://developers.google.com/search/docs/advanced/security/malware it seems that the developer has to follow this procedure (Security Issues report): https://support.google.com/webmasters/answer/9044101

tbertels avatar Sep 30 '21 17:09 tbertels

Similar issue found again for v0.12.2, was about to create a ticket but saw this! Is there a procedure for resolving this now?

image

MaxJW avatar Mar 30 '23 09:03 MaxJW

@MaxJW https://www.microsoft.com/en-us/wdsi/filesubmission

rakleed avatar Mar 30 '23 10:03 rakleed

@rakleed Thanks for linking, I just submitted v0.12.2

ErikBjare avatar Mar 30 '23 13:03 ErikBjare

Avast flags v0.12.3b15

rdggithub avatar Nov 25 '23 06:11 rdggithub