false positives? #39
Comments
|
I've actually had an intermediate binary get flagged by Windows Defender, quarantining it. But later builds didn't trip anything, at least on my computer. It's most likely due to the keyboard shortcuts feature, which listens for keypresses during the entirety of the program's run. It also might not help that I named one of the class instances I'll refactor those names out, and see if it clears those flags up. And as a broader statement to the userbase, LIFX-Control-Panel is open source, and if you have PyInstaller you can compile your own |
|
I did the simple refactor, and no reduction in the False Positives. I've found that "Riskware" means that while not inherently dangerous, the software exposes some security vulnerabilities. I've restricted the scope on all exposed |
samclane
added
bug
|
All If anyone knows any app security guys, maybe send them my way 😟 🤷♂️ |
|
Still getting Windows Defender false positives as of 1.7.0. Attempting to solve by updating PyInstaller. EDIT: This made it worse... |
samclane
added
security
|
I've self-signed the code, and that seems to help. I've gone from 8/71 to 5/71 positives on VirusTotal. Most notably, McAfee, Trapmine, and Sophos ML have all cleared the binary. (Weirdly enough, Rising thinks I have a Crypto Coin Miner as a PUA. What???😕) I'm keeping track of the False-Positive progress in a Google Drive Sheet, so progress can be publicly tracked. I want to be completely transparent with my users, and let them know my progress. |
|
Submitted False Positive reports to a ton of AV companies. Hopefully most FPs will be cleared up in the coming months. |
|
I ran a full system virus scan with no results, so my dev machine isn't compromised. I also created a new Virtual Environment and recompiled fresh with that. No real change, other than a slight decrease in Rising's "Coin Miner" certainty (81% to 79%, woo). Needless to say, I have not included a coin miner. |
|
VT has added an engine called "Microsoft". I think it might be Windows Defender. Either way, it's a positive on that too... https://docs.google.com/spreadsheets/d/1aY8IILdds911zwglkoYX7ktnAbuRu0gutZC1gi_FCSM/edit#gid=0 |
|
This is report from version I build locally from sources by Python 3.6 and local lifxlan build (from 1.2.5) This is not a surprise that software that grabs the screen, listening audio, keyboard hotkeys and networking are detected heuristically as a spyware. |
|
Im trying to run the ".exe" but nothing happens, i think something is blocking it's execution (likely Windows Defender) but idk what else to do. |
|
@tort32 You're certainly right. My software looks a lot like a virus. That's partially why I added the pip option; for those who want to make sure the source on GitHub is what they're actually running locally. I don't think I can get it to stop registering as a virus without spending a fortune on an official certification. @LokoGD It's probably Windows doing it in this case. I've had it happen to myself, which is a bit embarrassing. Here's a Windows guide on removing files from Quarantine . If that doesn't work, you can always install from pip. You'll need to download and install Python 3.6+ on your computer first. |
|
Just tried running pip install but also failed, im not experienced with Python, do u mind to help me via Discord's Screenshare or something else?
This is what i got (if u find anything in Portuguese that u don't get, let me know). |
|
You probably are trying to run pip directly from the Python folder. You can't call pip directly; you need to call it through Python. Try something like this to install:
|
|
Here's both results, from the cmd and from Python Terminal. CMD: Python Terminal: Thanks for the effort ^^ |
|
Anything i can do to run it properly? |
|
@LokoGD I think you should start with a creating the new issue with describing your steps and environment. And we will try to help you there. Because hijacking the other threads is not a good practice. |
|
Windows defender still flagging the new build and quarantining it, just an fYI |
|
Definitely MS AV have joined the party https://www.virustotal.com/gui/file/b69c1eb90cd89c80adb869ff0279b4af79fc3c878215fc88e9b53f0146966473/detection Probably we can buy @samclane a coffee so he could find a minute to write a line to AV vendors 😃 |
|
@tort32 Thanks for the support 😄 I've submitted a sample in a few places, and it's definitely helped. My Windows AV is currently going nuts too, unfortunately :( The newest PyInstaller was supposed to be fixing this, but my app does do a lot of things that could be construed as malware, such as (reads the screen, reads keystrokes, reads mouse-movement when within the window, runs in the tray, list goes on...) I guess I should just have a Github Actions step that writes an email to every AV company on earth every time I bundle a release. That's essentially what I had to do last time... |
|
I've started contacting vendors 👍 |
|
Well I had several vendors contact me back, saying that they would add it to the exceptions list. However, the latest VirusTotal run has the most detections so far (11 positives). Including several companies that told me they updated their definitions. I'm going to keep working on this... |
|
Well, here I am, almost 2 years later. Most positives have it flagged as something called "Gen:Variant.Tedy.1950". I'll have to look into what this means. |
|
FYI: my local build result has flaged only by 6/67 (but different AV products) |
|
Somebody scanned the most recent version (2.2.0) and it was only flagged by 1 AV: https://www.virustotal.com/gui/file/15a39c752e905b648069f7b2c3d8ca307250c9cb656b8b3f997242a5265ed983 |
https://www.virustotal.com/#/file/5f5da7e62b2352eb7fa01ac41dcc155e2837a487149e301c0dffa2b29a632570/detection
just wondering if this is something you're aware of...
The text was updated successfully, but these errors were encountered: