cppcryptfs icon indicating copy to clipboard operation
cppcryptfs copied to clipboard
verified publisher icon bailey27

Detected as Malware on BitDefender

Open anodynos opened this issue 3 years ago • 5 comments

Unfortunately cppcryptfs.exe (MD5 007cf69831df5c957e091e070e6bfa55) is detected as Malware on BitDefender (with today's update). It has been detected before in the last 2-3 months.

When I execute it, it is terminated and I am given this reasoning:

Malicious behavior blocked
8 minutes ago

Feature:
Advanced Threat Defense

Bitdefender detected potentially malicious behavior and blocked all applications involved.
Detection ID: SuspiciousBehavior.B6D63D0535748CB9

image

The timeline looks like: image

Interestingly, this happens only at runtime. When I scan the file it self, it's fine:

image

I am using this cppcryptfs version: image

anodynos avatar Oct 05 '22 12:10 anodynos

I've just submitted the file to BitDefender 👍 image

anodynos avatar Oct 05 '22 13:10 anodynos

Hi Angelos,

I'm the CEO of Encedo Limited, the company that generously offered to co-sign the binaries using our EV (Extended Validation) code-signing certificate. Can you share a public link to a subject file? The file I have signed in version 1.4.3.11 has a different MD5 (fb5303a8105f1298dfde33ac1e511e1c *cppcryptfs.exe).

Best Chris

encedo avatar Nov 15 '22 23:11 encedo

I downloaded 1.4.3.11 from GitHub just now, and it has the same md5 that @anodynos reported (007cf69831df5c957e091e070e6bfa55). It has both @encedo's and my signatures intact.

@encedo is the one you have with md5 fb5303a8105f1298dfde33ac1e511e1c maybe an intermediate version from the dual-signing process?

I think what might be going on is that cppcryptfs probably looks suspicious because it does lots of encryption and filesystem operations. I'm guessing Bitdefender is thinking it could be ransomware.

I use Malwarebytes, and I've never seen it flag cppcryptfs. I did a manual scan of 1.4.3.11 downloaded from GitHub without any warnings, and running it (I have Malwarebytes real-time protection on) didn't throw any warnings either.

So I think it's probably a false positive.

bailey27 avatar Nov 15 '22 23:11 bailey27

@bailey27 yes, I have posted MD5 of the wrong file, my bad. And you are right, it has to be a false positive. Virus total is ok with this file, and a few others were released after that one.

encedo avatar Nov 16 '22 11:11 encedo

Thanks @encedo & @bailey27 - I had no response from BitDefender so I've just made another more detailed submission. I am not using my windows box that much lately, but I'll give the latest versions of cppcryptfs & BitDefender another try.. maybe it's already whitelisted... If not, I'll contact their support.

anodynos avatar Nov 28 '22 21:11 anodynos