bitdefender and windows edge detects vistumber as virus?

[EeroV]

bitdefender and windows edge detects vistumber as virus?

Is this false positive or release backdoored?

Eero

[EeroV]

https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe this is the detected url
and

[EeroV]

https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection

[acalcutt]

Unfortunately autoit, which vistumbler is written in, gets flagged as a false positive a lot. Vistumbler has struggled with this since the beginning.

I recently submitted the 10.7 release files to microsoft for false detection and they removed the false detection, so i think these files are fine. However I have also just submitted a false positive report to bitdefender, so we can see if they remove it too.

If vistumbler gets flagged by your AV company, my suggestion is to submit it as a false positive to them. I really don't have the time to chase down all these AV companies.

-Andrew

[acalcutt]

Submission 1006356816 (exe) and 1006356785 (zip)

Dear Andrew Calcutt,

Thank you for your file submission.

The file has been automatically sent to our laboratories for specialized analysis. If the file is indeed a False Positive, the detection will be removed in the next 72 hours and the modification will be implemented in the product through a Signature Update. Please keep your Bitdefender up-to-date.

Please be informed that this is an automated process. Reply to this email if you have any other issues regarding your Bitdefender product and one of our engineers will take over.

Have a nice day!

[EeroV]

On Thu, 8 Apr 2021, Eero Volotinen wrote:

https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe

Looks like this is (vistumbler) detected as false positive.

and

On Thu, 8 Apr 2021, Arnaud Jacques wrote: At first look, ClamAV is not the only one that flags it as malware :

https://www.virustotal.com/gui/file/071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4/detection and https://vistumbler.en.lo4d.com/virus-malware-tests but that has a different sha256sum. Hmm. If I feed the github URL into virustotal it comes up clean https://www.virustotal.com/gui/url/09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a/detection but if I download the file and give that to virustotal I get https://www.virustotal.com/gui/file/eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01/detection (the bit between file/ and /detection matches the sha256sum of my file and that on https://vistumbler.en.lo4d.com/virus-malware-tests ). Initially that page reported 19 security vendors flagged this file as malicious Size 6.92 MB direct-cpu-clock-access invalid-signature nsis overlay peexe runtime-modules signed but when I asked virustotal to rescan, "19 security vendors" changed to "16 security vendors". I have put my copy at: https://www.aitchison.me.uk/Vistumbler_v10-7.eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01.exe I think this means that raw.github.com has given out at least three different versions of this file. Eero, could you pass this back to the Vistumbler developer "Andrew" (Calcutt?) please ? # file Vistumbler_v10-7.exe Vistumbler_v10-7.exe: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive # host raw.github.com raw.github.com has address 185.199.108.133 raw.github.com has address 185.199.109.133 raw.github.com has address 185.199.110.133 raw.github.com has address 185.199.111.133

…

On Thu, Apr 8, 2021 at 3:28 AM Andrew Calcutt ***@***.***> wrote: Unfortunately autoit, which vistumbler is written in, gets flagged as a false positive a lot. Vistumbler has struggled with this since the beginning. I recently submitted the 10.7 release files to microsoft for false detection and they removed the false detection, so i think these files are fine. However I have also just submitted a false positive report to bitdefender, so we can see if they remove it too. If vistumbler gets flagged by your AV company, my suggestion is to submit it as a false positive to them. I really don't have the time to chase down all these AV companies. -Andrew — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#8 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC23RN7T6HWHYI7JLXMFGCLTHT2C3ANCNFSM42RMKCWA> .

[Firecul]

I think this means that raw.github.com has given out at least three
different versions of this file.

Not quite correct, the URL https://raw.github.com/acalcutt/Releases/master/Vistumbler/VistumblerMDB/v10/Vistumbler_v10-7.exe 09809c38129bd5ec94289969d9c35e97f5867f67b0a35d2acd9e811d34f8d89a serves the file Vistumbler_v10-7.exe eca2ace14102f623e1c2490257fb645611314c918e45a845ae7337cefa6ffd01 as noted on the virustotal page. This file is the installer for Vistumbler as expected.
The Vistumbler.exe you linked above 071921ede559082a14d54ba7f7f5cea2f6abced8f1747b245efff5d092a1aae4 is the actual program file as extracted from the zip (either the regular or portable, they are identical).
The zip is 7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0 and the portable f729b9bbaeadff288d78655b996102cc4274cb2d5527f58a1464eef3be9d636c

[acalcutt]

There are three downloads available for 10.7 The SHA256 of those files should be

Vistumbler_v10-7.exe - ECA2ACE14102F623E1C2490257FB645611314C918E45A845AE7337CEFA6FFD01
Vistumbler_v10-7.zip - 7CC806B74131BCCA5AE11EE81E39152DBC61F1477108FFDE7E416927C196DBA0
Vistumbler_v10-7_Portable.zip - F729B9BBAEADFF288D78655B996102CC4274CB2D5527F58A1464EEF3BE9D636C

All 3 should contain the same files.

• the non portable zip is just vistumbler with default settings (storing data in your profile temp directory and documents folder)
• the exe file is just the zip file packed into an installer with NSIS ( https://nsis.sourceforge.io/Main_Page )
• the portable version has different settings which cause temp files and save files to be stored inside the same directory as the program (better for portable use) instead of inside your windows profile.

I went and reanalyzed the file you submitted to virus total and it looks like bitdefender no longer considers them viruses, so it seems they consider it a false positive. You can see if you go to the link you posted above, https://www.virustotal.com/gui/file/7cc806b74131bcca5ae11ee81e39152dbc61f1477108ffde7e416927c196dba0/detection bitdefender has removed the detection

[acalcutt]

I've submitted a few more false positive reports to ClamAV and MalwareBytes (the rest don't seem to make it easy). maybe we can at least knock a few more off the list...

[EeroV]

https://www.getvisible.com/false-positive-virus-malware-scans/ contains all needed contacts Eero

…

On Fri 9. Apr 2021 at 4.48, Andrew Calcutt ***@***.***> wrote: I've submitted a few more false positive reports to ClamAV and MalwareBytes (the rest don't seem to make it easy). maybe we can at least knock a few more off the list... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#8 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC23RN62CHCUWDE5F2OGBH3THZMFHANCNFSM42RMKCWA> .

[EeroV]

I just submitted files for some analysis. Eero

…

On Fri 9. Apr 2021 at 4.48, Andrew Calcutt ***@***.***> wrote: I've submitted a few more false positive reports to ClamAV and MalwareBytes (the rest don't seem to make it easy). maybe we can at least knock a few more off the list... — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#8 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AC23RN62CHCUWDE5F2OGBH3THZMFHANCNFSM42RMKCWA> .

[acalcutt]

Great, thanks