dpscreenocr icon indicating copy to clipboard operation
dpscreenocr copied to clipboard
verified publisher icon danpla

Avast and AVG detect qwindowsvistastyle.dll and qwindows.dll as "Win32:MalOb-IJ [Cryp]"

Open Theo1996 opened this issue 3 years ago • 2 comments

some of the dlls are detected by avg as heavily disguised malware

Theo1996 avatar Jul 21 '22 14:07 Theo1996

Yes, I'm aware of this: a person on Hacker News informed me of this two days ago.

Here is a Virus Total report: https://www.virustotal.com/gui/file/2adff5ef8aaf1c7674422cdd6ed35a9d218e5b1c354e5ddb8c73c55e5c2a69c5/relations

As you see, it's a false positive from AVG and Avast (I believe they are essentially the same program under the hood). The warnings are reported for qwindowsvistastyle.dll and qwindows.dll; I found that this happens for many other libraries built by MSYS2, but only after their debugging symbols are stripped via strip - either by an explicit invocation or as part of the build process.

So the best I can do here is to either include the debugging symbols in the mentioned DLLs (which will increase their size), or report the false-positive to Avast/AVG and hope that they will fix their heuristic.

danpla avatar Jul 21 '22 14:07 danpla

Ok thanks.

Theo1996 avatar Jul 21 '22 17:07 Theo1996

It looks like they fixed the false-positives. VirusTotal reports are now clean:

  • Installer: https://www.virustotal.com/gui/file/2b286188c0b043cb010ffda0fab488dbbc083307086d21ed36d1e752f3f94bbc/summary
  • ZIP: https://www.virustotal.com/gui/file/2adff5ef8aaf1c7674422cdd6ed35a9d218e5b1c354e5ddb8c73c55e5c2a69c5/summary

danpla avatar Aug 14 '22 19:08 danpla

I'll close the issue since the problem seems to be gone.

danpla avatar Aug 22 '22 20:08 danpla