[bug] [investigate] False-positive virus archive scan results

[PaulaZa5]

1. ActivityWatch Version:
   • 0.7.1
2. What made the issue/bug appear? (steps to reproduce)
   • Scanning the windows archive with avast!, VirusTotal or Jotti
3. Include a logfile:/
   • Its not a bug with the program itself.

[PaulaZa5]

After some digging, I don't think it has anything to do with any of your scripts. The machine where you froze all py scripts and/or the used freezing script itself was infected -because all executables are identified as false-positives.

[johan-bjareholt]

aw-watcher-afk works like a keylogger, so it is technically not a false-positive. There is no API in windows/mac/linux which only detects that any key is pressed, so aw-watcher-afk has to fetch which key is pressed aswell which is exactly how a keylogger works. Your anti-virus only detects that aw-watcher-afk uses this API and assumes that it's a virus, but in reality aw-watcher-afk uses this API to fetch the most recently pressed key, but then just throws away the data about which key it was, so it never logs which specific keys are getting pressed.

[PaulaZa5]

It doesn't get to start so the behavioral shield doesn't identify it as a keylogger. Also this doesn't explain why other executables are detect as filecoders(which i'm pretty sure it has something to do with the freezing script -because the antivirus have no way to know it is a filecoder unless it actually execute coding activity).
Anyway in those cases you have to submit the files and the program's download link for review and they will just exclude it in the next database update. I'm going to submit this to avast and see where it is going.

[johan-bjareholt]

I have no experience with Avast, but it could also be something related to PyInstaller. Since the whole python interpreter and its standard library is included, anything within those could also be the reason why Avast reports it as a filecoder.

It wouldn't surprise me if the most common filecoder ransomwares for windows were written in python with PyInstaller since python is easy to use with built-in encryption algorithms and PyInstaller makes it easy to distribute.

We should probably add checksums to our downloads though, we currently don't have that.

Anyway in those cases you have to submit the files and the program's download link for review and they will just exclude it in the next database update. I'm going to submit this to avast and see where it is going.

I also have no idea how this works, would this whitelist this specific version or all forthcoming versions?

[ErikBjare]

This has already been discussed in #140

Closing since it's a duplicate.

[ErikBjare]

There is no API in windows/mac/linux which only detects that any key is pressed, so aw-watcher-afk has to fetch which key is pressed aswell which is exactly how a keylogger works. Your anti-virus only detects that aw-watcher-afk uses this API and assumes that it's a virus, but in reality aw-watcher-afk uses this API to fetch the most recently pressed key, but then just throws away the data about which key it was, so it never logs which specific keys are getting pressed.

This is false. aw-watcher-afk uses platform-specific APIs on Windows and macOS to get the time passed since last input without listening to every keystroke/mouse-movement since some time now. It's possible it might still get detected as a keylogger on those OSes however since PyUserInput might still end up in the bundle.

[PaulaZa5]

Avast flagged the app as safe. I truly suggest that you submit the file to other anti-virus softwares because really' anyone who downloads the app and then the av pops up saying that it is unsafe to use will just delete it.