OF-Scraper icon indicating copy to clipboard operation
OF-Scraper copied to clipboard
verified publisher icon datawhores

19 engines detect OFscraper as virus now?

Open Dark-Obsidian opened this issue 1 year ago • 6 comments

Description

I was aware that previous versions of OFscraper are flagged by 1-2 engines on virustotal.com, however when I was updating to 3.12.9, my AV went off as it seems 19 engines now detect OFscraper as a trojan!?

To Reproduce

Expected behavior

  • AV engines do not flag OFscraper as trojan/virus
  • OFscraper does not get detected with suspicious activities such as:
    • XOR obfuscation
    • VM/detection evasion (Reference anti-VM strings targeting VirtualBox)
    • Hijack execution flow  

Screenshots/Logs

OFscraper_detections

System Info

  • OS: Windows
  • Browser: Edge
  • Binary or python: Binary

Additional information

Not accusing OFscraper of being a trojan, but whatever code changes you have made recently seem to be sending AV engines crazy!

Dark-Obsidian avatar Nov 26 '24 20:11 Dark-Obsidian

Zip exe...

2024-11-27 023317

Puk0 avatar Nov 27 '24 08:11 Puk0

OK... but that's just putting the .exe inside a .zip file (making it harder for the engines to scan/detect)... If you password-protect the .zip file, you can get down to 0 detections.

Dark-Obsidian avatar Nov 27 '24 13:11 Dark-Obsidian

While I can't answer what changes were made that are causing so many antivirus engines to detect it on virustotal. I and many others have been running this version for months now and no one has mentioned seeing any strange/malicious activity. The antivirus (Bitdefender) and hardware firewall (firewalla) I use myself have not picked up any malicious activity either. So while IMHO I don't think you have any cause for concern. But if you want to be safe then run this in a VM (VMware or VirtualBox) or on a spare computer (if you have one that is).

cjb900 avatar Dec 04 '24 05:12 cjb900

OK... but that's just putting the .exe inside a .zip file (making it harder for the engines to scan/detect)... If you password-protect the .zip file, you can get down to 0 detections.

In the zip version, if you unzip it and scan the exe, that result will appear.

Not that I compress it to scan it.

Puk0 avatar Dec 04 '24 05:12 Puk0

The process for making the zip and exe are open. Look at the GitHub actions. You can make the zips or exe your self.

If you don't trust these processes. Then learn how to use git and install the program from repo.

The zip and exe are just meant as an easy way for newbies to install the script, and to reduce the amount of support required, but this and other issues in making them. Make me think it would be better to stop providing them.

datawhores avatar Dec 04 '24 05:12 datawhores

That'd be a real shame, the exe is just so much more convenient for myself and others

CynicalPlatapus avatar Dec 21 '24 21:12 CynicalPlatapus

Closing this use the repo version or make your on exe if this is an issue

datawhores avatar May 30 '25 14:05 datawhores