die_win32_portable_3.00.zip is reported as trojan

[halamix2]

When scanning die_win32_portable_3.00.zip Widows defender on Win 10 2004 reports Trojan:Win32/Wacatac.C!ml in die_win32_portable/die.exe

die_win32_portable_2.05.zip doesn't report any trojan

[horsicq]

Hello! Thanks a lot for the information!

[horsicq]

I sent the information to Microsoft: https://www.microsoft.com/en-us/wdsi/submission/f24af0e1-727f-47c4-a6c0-85af3fdc6a70

[horsicq]

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

[halamix2]

Windows no longer reports trojan, however Firefox 79.0 reports this file as malicious

Virustotal for die.exe file, 22 engines reported file as malicious ("invalid-rich-pe-linker-version" note is here but not on 2.05): https://www.virustotal.com/gui/file/cf5a19f0611de377178ca54d2ece443a4203f18d6de55fa9e9969a38fb53ca55/detection

In comparison 2.05 was only reported as malware by 4 engines (usually lesser known ones are more likely to report false positive): https://www.virustotal.com/gui/file/6e802a66da626c456961577881ade3a9869e88e8051bc3a4a6955508aa4f5430/detection

[horsicq]

hmm. Did you tested: die_winxp_portable_3.00.zip ?

[halamix2]

die_winxp_portable_3.00.zip doesn't trigger neither Windows Defender nor Firefox, and is clean according to Virustotal: https://www.virustotal.com/gui/file/64eb30cba9e6ab4f3c7b72c4d34e39ede91ac30d97d6975e4670921500be4ff6/detection

Virustotal for die.exe from die_winxp_portable_3.00.zip: https://www.virustotal.com/gui/file/7bcc028ac392ae642da90eaf1b47f9977fdeca383ee1d97c67d70e99f34a3092/detection

Windows Defender doesn't report the file (I have to reboot for testing on Windows, so it takes some time)

[horsicq]

Thanks for the info. The only thing that can be done is to wait until I have saved up enough money from donations to digitally sign the application. :)

[PELock]

That won't help you anyway, don't waste your money.

[horsicq]

That won't help you anyway, don't waste your money.

Do you know another solution? Just ignore the false detects?

[PELock]

Whitelist where possible, ignore elsewhere. Those AV bastard employees get to pay for every detection they can put in a database, so they are more than happy to put any hacking tool on their lists. Especially if they use it themselves, that's the case with most of the system or hacking tools even with highly popular tools like Process Hacker.

Some engines and signatures are licensed to other companies and if one of them puts you in their lists it's then spread to other AV products as well. No easy way out of false-positive detection hellhole, there is always some AV jerk who will think it's important to put your tool in Win64!HackingTool category or some other shit.

[horsicq]

@halamix2 Could you please try this? https://github.com/horsicq/DIE-engine/releases/download/3.00/die_win32_portable_noloader_3.00.zip

[halamix2]

die_win32_portable_noloader_3.00.zip is not reported by Firefox or Windows defender
VT zip: https://www.virustotal.com/gui/file/6a84c5605b7274ba0a1f31ee5af8d145da8838d9e69adbc7ede83bf736d05af1/detection
VT exe: https://www.virustotal.com/gui/file/75ba2c92fc956e3eccce48de56f7f221469f0c531e550cc59a1c785243080082/detection

[horsicq]

@halamix2 Thanks a lot!

[RedDragonWebDesign]

I just downloaded die_win32_portable_3.00.zip.

1. Google Chrome is blocking it and there's no whitelist. To bypass, you have to google the message, then go into your settings and completely turn off Safe Browsing.

2. Webroot Antivirus is detecting it as a virus and is quarantining it as soon as the user navigates to the unzipped folder in Windows Explorer.

I strongly dislike antivirus false positives. I'm sorry your project has to deal with this.

[horsicq]

Hello @RedDragonWebDesign Just try this file: https://github.com/horsicq/DIE-engine/releases/download/3.00/die_win32_portable_noloader_3.00.zip

[horsicq]

https://github.com/horsicq/DIE-engine/releases/tag/3.01

[graysuit]

Thanks for the info. The only thing that can be done is to wait until I have saved up enough money from donations to digitally sign the application. :)

As like PElock suggested, "Don't waste money in buying expensive signatures". It won't help.

Proof:
See, these all files are digitally signed and have valid certs. But see how much they are detectable.
https://github.com/tresacton/PasswordStealer
https://www.virustotal.com/gui/file/96a74d742c4cc761d1807f263844ad6c152f54b248362d2a2dc832d030dc29d8/details

Give some time to anti's to make your files recognizable.
lol !