meka icon indicating copy to clipboard operation
meka copied to clipboard

Published 20 hours ago verified publisher icon ocornut

VirusTotal warnings again

Open LeonisX opened this issue 3 years ago • 8 comments

https://www.virustotal.com/gui/file/bef1057e26ca839e07e32e64c5c96e6022f43b948300badccc87c35bbcb413da

24 security vendors flagged this file as malicious.

Latest release : https://github.com/ocornut/meka/releases/tag/meka-20210726

I understand that this is a false positive, but the search engines will pessimize the smspover.org website and this repository too. Need to do something.

LeonisX avatar Jan 10 '22 18:01 LeonisX

well, as i see, the only problem is that Meka has a executable file, which is Meka.exe, and that is what the security vendors are flagging as malicious. I saw it happening while tried to add some zipped attachments to gmail, some time ago.

for me there are two quick-and-dirty solutions:

  • Not distribute the executable, forcing the user to complile it from source
  • Try to mask the executable, either by renaming the extension, zipping it or other way. I once was able to send exe using gmail by zipping it and renaming the file to .zap

It can be also a minGW issue: https://stackoverflow.com/questions/62364507/compiled-c-executable-is-detected-as-a-virus-by-windows-defender

lucianoloder avatar Jan 11 '22 13:01 lucianoloder

@lucianoloder great link :+1:

Windows users are unlikely to compile the emulator on their own, this is not a trivial task.

Another option is to put a password on the archive.

LeonisX avatar Jan 11 '22 13:01 LeonisX

i created a build from source, but that is also flagged on virustotal https://www.virustotal.com/gui/file/c4cd1c2b328487ced3df621c689409606a1453b66b50963f6434ab36fb2cba22?nocache=1

markvantilburg avatar Jan 11 '22 14:01 markvantilburg

It seems a painful manual process to report false positives. Example: https://service.mcafee.com/?articleId=TS103032&page=shell&shell=article-view

maxim-zhao avatar Jan 12 '22 09:01 maxim-zhao

At this point in time it appears antiviruses are the malware themselves. eg https://twitter.com/doctorow/status/1478479483585933312?s=21

ocornut avatar Jan 12 '22 09:01 ocornut

The "debug" build is not flagged by all the scanners just one, it seems to be something the compiler does in "release" mode. But i guess more software should be hit by the compiler optimizations.

markvantilburg avatar Jan 12 '22 14:01 markvantilburg

May be try to use mingw-w64/CodeBlock's MinGW instead of mingw.org, as suggested here https://stackoverflow.com/questions/62364507/compiled-c-executable-is-detected-as-a-virus-by-windows-defender

LeonisX avatar Jan 12 '22 14:01 LeonisX

I think the releases are built with MSVC.

It's a bad experience for normal users to get a warning on the file when they try to run it (as Windows does by default now). A virus checker pop up should stop them running it at all. We hate antivirus because it is malware but we can't hate our users...

maxim-zhao avatar Jan 12 '22 19:01 maxim-zhao