LIFX-Control-Panel false positives?

https://www.virustotal.com/#/file/5f5da7e62b2352eb7fa01ac41dcc155e2837a487149e301c0dffa2b29a632570/detection just wondering if this is something you're aware of...

Mar 15 '19 20:03 little-nugget

I've actually had an intermediate binary get flagged by Windows Defender, quarantining it. But later builds didn't trip anything, at least on my computer.

It's most likely due to the keyboard shortcuts feature, which listens for keypresses during the entirety of the program's run. It also might not help that I named one of the class instances self.keylogger. That's probably why TrapMine, which uses Machine Learning, is picking it up, as it's probably looking for keywords that sound fishy.

I'll refactor those names out, and see if it clears those flags up. And as a broader statement to the userbase, LIFX-Control-Panel is open source, and if you have PyInstaller you can compile your own exe files from source, ensuring that you know exactly what code is running on your PC.

Mar 15 '19 21:03 samclane

I did the simple refactor, and no reduction in the False Positives. I've found that "Riskware" means that while not inherently dangerous, the software exposes some security vulnerabilities. I've restricted the scope on all exposed eval() statements, but maybe it doesn't check that.

Mar 16 '19 00:03 samclane

All eval() statements allowing users to run arbitrary code were removed. VirusTotal still gives the same results. . I'm starting to get out of my depth here.

If anyone knows any app security guys, maybe send them my way 😟 🤷‍♂️

Mar 19 '19 22:03 samclane

Still getting Windows Defender false positives as of 1.7.0.

Attempting to solve by updating PyInstaller.

EDIT: This made it worse...

Mar 27 '19 17:03 samclane

Tried compiling PyInstaller locally to 3.5.

Still doesn't work.

Mar 27 '19 18:03 samclane

I've self-signed the code, and that seems to help. I've gone from 8/71 to 5/71 positives on VirusTotal. Most notably, McAfee, Trapmine, and Sophos ML have all cleared the binary. (Weirdly enough, Rising thinks I have a Crypto Coin Miner as a PUA. What???😕)

I'm keeping track of the False-Positive progress in a Google Drive Sheet, so progress can be publicly tracked. I want to be completely transparent with my users, and let them know my progress.

Mar 29 '19 22:03 samclane

Submitted False Positive reports to a ton of AV companies. Hopefully most FPs will be cleared up in the coming months.

Mar 30 '19 00:03 samclane

I ran a full system virus scan with no results, so my dev machine isn't compromised.

I also created a new Virtual Environment and recompiled fresh with that. No real change, other than a slight decrease in Rising's "Coin Miner" certainty (81% to 79%, woo). Needless to say, I have not included a coin miner.

Apr 12 '19 16:04 samclane

VT has added an engine called "Microsoft". I think it might be Windows Defender. Either way, it's a positive on that too...

https://www.virustotal.com/gui/file/eccd7c0a2df8e8f35c12c842f5559eecb71a5c60c5b2c6d59086a5eae9a44008/detection

https://docs.google.com/spreadsheets/d/1aY8IILdds911zwglkoYX7ktnAbuRu0gutZC1gi_FCSM/edit#gid=0

Jun 04 '19 02:06 samclane

This is report from version I build locally from sources by Python 3.6 and local lifxlan build (from 1.2.5) https://www.virustotal.com/gui/file/7604ce5398e2eb32abe2527f50bda73198467cce414546854aa99550b93a60d4/detection

This is not a surprise that software that grabs the screen, listening audio, keyboard hotkeys and networking are detected heuristically as a spyware. I run through sources - nothing suspicious for me.

Oct 20 '19 10:10 tort32

Im trying to run the ".exe" but nothing happens, i think something is blocking it's execution (likely Windows Defender) but idk what else to do.

Oct 22 '19 09:10 LokoGD

@tort32 You're certainly right. My software looks a lot like a virus. That's partially why I added the pip option; for those who want to make sure the source on GitHub is what they're actually running locally. I don't think I can get it to stop registering as a virus without spending a fortune on an official certification.

@LokoGD It's probably Windows doing it in this case. I've had it happen to myself, which is a bit embarrassing. Here's a Windows guide on removing files from Quarantine . If that doesn't work, you can always install from pip. You'll need to download and install Python 3.6+ on your computer first.

Oct 22 '19 18:10 samclane

Just tried running pip install but also failed, im not experienced with Python, do u mind to help me via Discord's Screenshare or something else?

This is what i got (if u find anything in Portuguese that u don't get, let me know).

Oct 23 '19 02:10 LokoGD

You probably are trying to run pip directly from the Python folder. You can't call pip directly; you need to call it through Python. Try something like this to install:

python -m pip install lifx-control-panel

Oct 24 '19 00:10 samclane

Here's both results, from the cmd and from Python Terminal.

CMD:

Python Terminal:

Thanks for the effort ^^

Oct 24 '19 04:10 LokoGD

Anything i can do to run it properly?

Nov 12 '19 21:11 LokoGD

@LokoGD I think you should start with a creating the new issue with describing your steps and environment. And we will try to help you there. Because hijacking the other threads is not a good practice.

Nov 14 '19 14:11 tort32

Windows defender still flagging the new build and quarantining it, just an fYI

Feb 13 '20 20:02 prediscover

Definitely MS AV have joined the party https://www.virustotal.com/gui/file/b69c1eb90cd89c80adb869ff0279b4af79fc3c878215fc88e9b53f0146966473/detection But my Defender keeps calm (security intelligence version: 1.309.1040.0), I also have scaned distr folder of the latest version of local build.

Probably we can buy @samclane a coffee so he could find a minute to write a line to AV vendors 😃

Feb 15 '20 17:02 tort32

@tort32 Thanks for the support 😄

I've submitted a sample in a few places, and it's definitely helped. My Windows AV is currently going nuts too, unfortunately :( The newest PyInstaller was supposed to be fixing this, but my app does do a lot of things that could be construed as malware, such as (reads the screen, reads keystrokes, reads mouse-movement when within the window, runs in the tray, list goes on...)

I guess I should just have a Github Actions step that writes an email to every AV company on earth every time I bundle a release. That's essentially what I had to do last time...

Feb 17 '20 18:02 samclane

I've started contacting vendors 👍

Feb 28 '20 14:02 samclane

Well I had several vendors contact me back, saying that they would add it to the exceptions list.

However, the latest VirusTotal run has the most detections so far (11 positives). Including several companies that told me they updated their definitions.

I'm going to keep working on this...

Mar 01 '20 19:03 samclane

Well, here I am, almost 2 years later.

Seems like almost all the previous false positives have been fixed, but since VirusTotal continues to expand its test suite, I still have 9/66 positives.

Most positives have it flagged as something called "Gen:Variant.Tedy.1950". I'll have to look into what this means.

Dec 06 '21 17:12 samclane

FYI: my local build result has flaged only by 6/67 (but different AV products) https://www.virustotal.com/gui/file/ff1177163fb95c3c0e230b0123d9d2dd21251a307517ce6b5df98d47e09598c9

Dec 07 '21 07:12 tort32

Somebody scanned the most recent version (2.2.0) and it was only flagged by 1 AV: Anity AVL

https://www.virustotal.com/gui/file/15a39c752e905b648069f7b2c3d8ca307250c9cb656b8b3f997242a5265ed983

Dec 20 '21 15:12 samclane

LIFX-Control-Panel LIFX-Control-Panel copied to clipboard

false positives?

LIFX-Control-Panel
LIFX-Control-Panel copied to clipboard