wincompose icon indicating copy to clipboard operation
wincompose copied to clipboard
verified publisher icon samhocevar

wincompose flagged as malware by certain scanners

Open prt-git opened this issue 4 years ago • 2 comments

Hi, I'm working with confidential data and my employer will not install software on my computer that doesn't pass the scanners at virustotal.com. Unfortunately, I can't just build it myself, since it's a strictly regulated IT environment.

Currently, the wincompose installer is flagged as follows: Bkav Pro: W32.AIDetect.malware1 McAfee-GW-Edition: BehavesLike.Win32.PUPXDZ.wc Cybereason: Malicious.d9f3a8

The portable zip is flagged as follows: Malwarebytes: MachineLearning/Anomalous.97% MaxSecure: Trojan.Malware.300983.susgen

Is there anything that can be done to remedy this situation?

For Malwarebytes, false positives could be reported here: https://forums.malwarebytes.com/forum/122-false-positives/ For MaxSecure, false positives could be reported here: https://www.maxsecureantivirus.com/maxIS/submit_aFalse_Positive.htm

For Bkav pro, macafee, and cybereason, I couldn't easily find places where false positives could be reported.

Best, prt

prt-git avatar Jun 04 '21 10:06 prt-git

I noticed the VirusTotal positive results too. Currently (2021-09-06, WinCompose-Setup-0.9.11.exe):

https://www.virustotal.com/gui/file/125119d0335c64067e5aea1e87781df9de6e6ba960fdccd001b25d4d3bbbfadf/detection

  • Cynet - Malicious (score: 100)
  • Palo Alto Networks - Generic.ml
  • Crowdsourced Sigma rules - 8 matches: CRITICAL 1 HIGH 4 MEDIUM 1 LOW 2

@prt-git did you report the false positives?

vbrozik avatar Sep 06 '21 12:09 vbrozik

A related issue

Malwarebytes

@vbrozik: Since @prt-git hasn't replied, we might as well assume that they did not report anything to the antivirus developers.

I looked into the MalwareBytes false-positive reporting procedure, since it's a reasonably-popular antivirus product in the US. VirusTotal indicates that Malwarebytes detects the wincompose.exe main executable (0.9.11) as "MachineLearning/Anomalous.97%".

Malwarebytes writes: If your app is falsely detected as "MachineLearning/Anomalous", sign your code. If you're unable or unwilling to sign your code, make a false-positive report to our forums instead.

WinCompose is not yet signed. Issue #224 shows that enough money has already been raised to buy a certificate which will last for several years. It seems that Sam has not yet bought a certificate. I theorize that Sam might be busy with his job, other open-source contribution work, and/or various life obligations.

Dear community: While we're waiting, I think it would be helpful if someone might be willing to please volunteer to post a false-positive report to the Malwarebytes forums.

unforgettableid avatar Feb 24 '22 08:02 unforgettableid