wincompose icon indicating copy to clipboard operation
wincompose copied to clipboard

Published 20 hours ago • verified publisher icon samhocevar

Virustotal flags installer and the non-installer

Open xahodo opened this issue 3 years ago • 7 comments

Versions tested: 0.9.10 and 0.9.11

Observed behavior:

Virus scanners triggered, followed what they said they detected: Malwarebytes: MachineLearning/Anomalous.97% MaxSecure: Trojan.Malware.300983.susgen

Expected result: no malware warnings triggered.

Steps to reproduce:

  1. Go to https://www.virustotal.com/gui/home/upload
  2. Upload the executable or installer.

xahodo avatar Nov 11 '21 16:11 xahodo

Also seeing this with McAfee.
It doesn`t allow me to run the .exe, which is beyond frustrating.

hidefromkgb avatar Dec 30 '21 19:12 hidefromkgb

also see this. : https://www.virustotal.com/gui/file/125119d0335c64067e5aea1e87781df9de6e6ba960fdccd001b25d4d3bbbfadf/detection

robbiedobbie1 avatar Jan 12 '22 14:01 robbiedobbie1

Some antivirus products generate very many false positives. (Source.)

I don't think we need to fear that WinCompose contains actual malware. (Source 1.) (Source 2.) (Source 3.) Still, it's unfortunate that the false positives happen.

It would be a good idea for someone to report the false positives. Especially to MalwareBytes and to McAfee, since these are reasonably-popular antivirus products in the US.

Issue #416 deals with the matter of Malwarebytes.

unforgettableid avatar Feb 24 '22 08:02 unforgettableid

@hidefromkgb:

VirusTotal's McAfee installations consider both the 0.9.11 installer and the 0.9.11 main executable to be clean. But you might have different McAfee products, or a different threat database, or different options chosen in your McAfee settings.

A.) Which McAfee product are you running?

B.) Which version of that McAfee product do you have?

C.) Does your McAfee product still prevent you from running WinCompose, even today?

unforgettableid avatar Feb 24 '22 08:02 unforgettableid

@unforgettableid Sorry for replying so late. Now the error is different.
The entity that`s blocking WinCompose is 'CrowdStrike Falcon Sensor', whatever that is.
That thing has been installed by our corporate IT, so I am not allowed to remove it from my machine.

hidefromkgb avatar Apr 08 '22 11:04 hidefromkgb

@hidefromkgb:

No worries!

I checked with the Hybrid Analysis website, which is running CrowdStrike Falcon Sandbox. Its report on the 0.9.11 installer and its report on the 0.9.11 main executable indicate that both are clean, with no specific threat found. A few indicators were found, though I don't think that they're any cause for concern.

A.) Is your local CrowdStrike product showing you a block message when you try to download WinCompose, or when you install it, or when you try to launch the installed file?

B.) Which version of WinCompose are you attempting to install or run?

C.) Could you please provide us with a screenshot of the block message? For how to take a screenshot, see these instructions. Once the screenshot is on your clipboard, you can go here and use Ctrl+V to paste it into the comment box.

unforgettableid avatar Apr 08 '22 17:04 unforgettableid

@unforgettableid A. Downloading and installation go without a hitch, it`s execution where things get haywire. B. I have tried literally all versions from 0.9.11 to 0.7.1. C. The screenshot won`t give you much information on what`s going on I`m afraid, but anyways here it is:

hidefromkgb avatar Apr 09 '22 13:04 hidefromkgb