PJO2
New builds are flagged as malware, VirusTotal
Any idea why the installers are still being flagged as suspicious/malware when checking against VirusTotal? Here is the current report for the releases just updated today, run against the Tftpd64_Service_Installer_v4.70.exe.
Arctic Wolf, Unsafe
Bkav Pro, W32.AIDetectMalware
Elastic, Malicious (moderate Confidence)
Kaspersky, HEUR:Trojan.Win32.Generic
Microsoft, Trojan:Win32/Wacatac.B!ml
Sangfor Engine Zero, Trojan.Win32.Save.a
SecureAge, Malicious
Trapmine, Suspicious.low.ml.score```
Any.run says that it's taking screenshots? https://app.any.run/tasks/10576a9c-bebd-4244-9188-3d16dc469509
edit: correction, it says that "There is functionality for taking screenshot" - I'm not sure that means that it did, but it still makes a person wonder.
Another one: https://app.any.run/tasks/8ede08ca-19cb-4dab-bbdc-e889604ad4b6 Text report: https://any.run/report/a755b17f7879ea7ad3803aa909d45d30d6359475e12a3550e6ab6d02ba4b728c/8ede08ca-19cb-4dab-bbdc-e889604ad4b6
Lists no "Malicious" but several "Suspicious" which is probably what's setting this off.
It'd be nice if previous releases were also available so I could compare the behavior.
Yes, that's nothing new. I struggle with antivirus vendors for every release, and that's one of the reasons I stopped working on it.
Note that, for now, it's mostly the installer that has a bad reputation. The x64 service executables (svc/gui) only have 1 or 2 malicious reports.
Tomorrow, i will send the executables to each editor and ask them to review it... So much fun :(
The latest versions of TFTPD 4.71 are flagged as being riddled with malware (e.g. VirusTotal, Joe Sandbox / MITRE Attack) and do contain active malware.
https://www.virustotal.com/gui/file/bf47a3a494fa30e64c1fe32a9ffb1ec73ba60a0c01719036512e6cdea5b4a4cf https://www.joesandbox.com/analysis/1730532
Windows Defender and ESET are automatically deleting your latest installer and refusing to run it because it contains active trojans; these are not false positives. I suspect that you are building TFTPD with a malicious installer product or using cracked versions of your toolchain or installer software. Your installer is not digitally signed either, which is another red flag. For example:
Microsoft Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following: https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wacatac.H!ml&threatid=2147814523&enterprise=0 Name: Trojan:Win32/Wacatac.H!ml ID: 2147814523 Severity: Severe Category: Trojan Path: file:_C:\Users\user\Downloads\Tftpd32_Installer_v4.71.exe Detection Origin: Local machine Detection Type: FastPath Detection Source: Real-Time Protection User: host\user Process Name: C:\Windows\explorer.exe Security intelligence Version: AV: 1.431.452.0, AS: 1.431.452.0, NIS: 1.431.452.0 Engine Version: AM: 1.1.25050.6, NIS: 1.1.25050.6
To obtain a clean bill of health, you must stop using the product you are currently using as your installer product, as it is most likely cracked or contains malware. Since you are a F/OSS project, contact AdvancedInstaller and they will provide you with a complimentary F/OSS license: https://www.advancedinstaller.com/free-license.html. Ensure you compile and build on a clean machine/VM built from scratch. Ensure you have a reputable EDR solution installed. Wipe whatever you are using now. Unfortunately, the current versions of TFTPD are currently unusable.
Hope that helps.
@firedaemon-ceo even the zip version is being flagged as malware. This is not an installer issue.
tftpd32.exe from 32-bit zip (v4.71): https://www.virustotal.com/gui/file/f0ef282a0cae736ac88a6434130d358ee8dcf1d85407d4fa2aa83703df022fc1/detection
tftpd64.exe from 64-bit zip (v4.71): https://www.virustotal.com/gui/file/128f15e6e19d6acadf04f30c3ce898b403d9529f2f2aa59ffb9e810768e5c647/detection
But certainly, from this virustotal analysis, there are some sus things going on here, for example why would it be interacting with or pretending to be the Google Updater. So a clean build environment is a good idea.
Good to know. I never looked beyond your installer because I received numerous alarms from my EDR (anti-virus software) after downloading it. As previously mentioned, the EDR deleted the installer straight away. Didn't even quarantine it. I was suspicious from the outset, as my EDR browser plugin indicated that the TFTPD website contained links to malware.
So you need to fix your product and website reputation:
- Set up a cleanroom environment (new VM installed from a verified ISO, install EDR, and install the tool chain from fresh downloads) and rebuild your binaries, ensuring they are digitally signed. Don't make any assumptions regarding the safety of any of your tool chain products. Ensure you download from reputable locations
- Use AdvancedInstaller. It provides the ability to properly digitally sign your EXE/MSI installer. Nullsoft may be compromised.
- Submit your installers and ZIPs to VirusTotal first before publishing on Github. Then publish publicly once they are clean.
We have encountered similar issues in the past (e.g., VirusTotal false positives), but not to the extent I'm seeing with your installers/ZIPs.
I ran all binary components of the 4.71 64-bit service installer through VirusTotal and (except for the system.dll contained in the installer) everything is clean. Plus the system.dll is only a minor issue for 1/72 scans. Here are the scores for each component:
Tftpd64_Service_Installer_v4.71.exe: https://www.virustotal.com/gui/file/0f9f24544b3a6bd8f0c483ae69c8a5bf729675b12608677f4be5998f01d04cd4
tftpd64_svc.exe: https://www.virustotal.com/gui/file/1aa1c6ef9ddaac8480e9bf6d862406738ba30369644297c63e0b01e00cb71eae
tftpd64_gui.exe: https://www.virustotal.com/gui/file/3834f5a63bd073169a499f9ff8b01c219786639c36bc65bd70480b5ec3b26f4d
Installer components:
system.dll: https://www.virustotal.com/gui/file/8b4c47c4cf5e76ec57dd5a050d5acd832a0d532ee875d7b44f6cdaf68f90d37c
nsExec.dll: https://www.virustotal.com/gui/file/b121689861b506dbc9c3797b49bc8a90d555cb7db58cb959165cc758391c00bb
nsDialogs.dll: https://www.virustotal.com/gui/file/b1350f487692057c8ffde75dcc55287a52a3272240d4d4912f24464b27551fc0
I think this issue can be closed.
I think that there are still unanswered questions, just as why it is dropping "Google Updater" files. Maybe someone can at least build from source independently to confirm binaries match.
I think that there are still unanswered questions, just as why it is dropping "Google Updater" files. Maybe someone can at least build from source independently to confirm binaries match.
At least in the service installer, there are no "Google Updater" files that I can see. Only the installer itself (built with Nullsoft), the service executable, the configuration gui executable, and three Nullsoft supporting DLL files.
The portable zip is also flagged by Windows Defender. Maybe it's a false positive, but I'm not going to take that chance.
If you look at the results of the zip scan, a lot of the "threats" are classified as "unwanted", "tftp", "riskware" etc. Virustotal even has a a family label of "tftpd32"!
I.e. a lot of the antimalware vendors think that installing a tftp server is inherently a bad idea, which make a lot of sense for most users. Just not us. Just like a password cracker, they will flag it just for doing what it's supposed to.
The any.run results seem to differ when pointing to a url vs. uploading the file manually, some of the issues seems to be things the vm does to download the file.
While I can see the hesitation to download a tool with a few virustotal points, a lot of this may be unavoidable for a tftp server. I would be more productive to actually analyze the results and try to figure out if there is anything specific in the code that could be changed to avoid some detections. E.g. to replicate the "takes screen shots" detection from any.run and figure out what can be done about it.
