Crycker reported as infected by VirusTotal

[nkiki]

https://www.virustotal.com/gui/file/630fa4b94f13724f0f6664ec5c9222abaed99858aaa90e984ef361d7c93cc0d7/detection

[davidvidmar]

Looking into this. Freshly compiled version on two (clean) computers result in same binary, but still VirusTotal reports infections.

[shawnbrezny]

Do we still have a Virus concern here? "Working-on" status since July 23???

[davidvidmar]

I trully don't know. It was a false alarm then, and I could not work around it and gave up. Might try again some day.

You see the code, code is 100% safe. Use at your own risk.

[klaszlo8207]

My Firefox download said this is a virus :(

[davidvidmar]

This seems to be resolved.

(Narrator: but it was not.)

[rofrol]

When was it resolved? I have uploaded Crycker.exe to virustotal like 2 hours ago and got the same result as reported. Even the same url.

[davidvidmar]

Sorry, I saw coment from someone with clean sheet from Virustotal and jumped from joy. Will check myself, but there is just so much I can do as this is clearly a false positive and it's really frustrating.

[davidvidmar]

I'm glad to report, that Kasperky has recognized that this is indeed false positive. Still waiting for some other vendors to reponse to my false-positive report.

[davidvidmar]

Another antivirus fixed the false-positive.

[Hub-O-Gits]

Unless it has some adware in it, my guess is that it exhibits some behavior that gets flagged as a cryptominer.

I'm glad to see that Kaspersky no longer flags it. It would help if BitDefender was on board as well. I went ahead and submitted it to them here. I'll report back when I get the results.

[JacobIsTaken]

Heya, windows defender now says that the file contains "Trojan:Script/Phonzy.A!ml" and it auto deletes it, any possible fix soon?

[Hub-O-Gits]

While it's unfortunate if Windows Defender (WD) or other A/V software reports a file(s) as being infected, many A/V software are known for varying degrees of inaccurate flagging (including false positives.)

The rule of thumb that I and many others in I.T. follow is that if a suspected sample passes both Kaspersky and BitDefender (BD) on VirusTotal (VT), then it's likely in fact clean, as those two A/V products are frequently the industry leaders and known for being amongst the most accurate.

Checking VT today (see results here), I see that BD still reports Crycker as infected. As you can see above, I submitted Crycker to BD, but it appears that they either never re-evaluated it, or they still maintain that Crycker is malicious. It doesn't help that Avast, Avira, and F-Secure also flag it as infected.

I leave it to others to make their own judgment call, but personally I won't be using Crycker until David alters or removes whatever code is likely triggering the A/V positive, or he obtains a clean rating from BD. Without that, I would have to test Crycker more, or review the code, and I just don't have the time. I'm not saying that I believe it's infected - I'm just erring on the side of caution.

[davidvidmar]

Hi all, thanks for reporting back. At this point, I have no ideas on how to convince virus scanning engines that Crycker code is in no way infected. It simply cannot be. It's simple, self-contained and doesn't include any external code or libraries.

I guess the fact that we are calling blockchain API's and mentioning it in the code trips something in the algorithms of AV engines that I have no influence over.

If anyone has any suggestions on how to change the code, I'm more than interested. I've tried everything that's popped in my mind and then some, with no success at all.