Version 2.0.1 installer still triggers antivirus

[lovrop]

Downloaded 2.0.1 installer from the website, which I assume contains 27db4cd. Both Chrome (63) and Windows Defender (Win 10) flagged it as dangerous.

[poma]

This is weird because this time it is clean according to all major antiviruses. I don't know how exactly Google decides to flag programs as dangerous. I'll try to run some tests with removing parts of the app code.

[lovrop]

I think your VirusTotal link may be for the github URL as opposed to the file? If I follow the link next to the "Downloaded file" hash it shows issues.

Also note that it wasn't just Chrome flagging in my case but Windows Defender too.

[poma]

Indeed I've used a link. I was assuming that a direct link to exe will scan .exe behind that link.

[iamwyza]

This is still a problem sadly. Honestly log parsing is only as good as the folks who upload and if everyone who uses chrome tries to use it gets the message, it won't work. Obviously for a programmer such as myself I can examine the code to ensure it's not malicious, but the vast majority of users are not in that boat.

[iamwyza]

Update: I did just submit this to MS: https://www.microsoft.com/en-us/wdsi/submission/4417a4c4-391a-4e84-834d-a908085924a1

[countextreme]

Confirmed that this still shows up on virustotal for 33 engines. Even as a pretty heavy developer I can't be bothered to pore over the code and compile my own binary to ensure it's clean for something trivial like uploading logs when there are already competing products that work equally well. One or two engines detecting an issue is one thing, but if 50% of AV engines are detecting the binary then something needs to be fixed with the behavior of the app. I'd suggest scanning all the previous release binaries to figure out where the regression is.

If I have time, I'll fire this up in a VM to see if I can figure out what it's doing that has AV engines screaming at it.

[llbbl]

The hotslogs uploader has a run on startup option. There has to be a way to do that safely. If 1.7 was working what was added in between November 2017 and January 2018 ? The other question is maybe someone flagged this to be a dick and now we have a bunch of false positives ... are we SURE that there is something wrong with the code/binary.

[Carighan]

Same with version 2.0.2, blocked when attempting to download it due to apparently containing a virus.

[m-terlinde]

Hey @poma,

maybe this Hybrid Analysis link can help you sort it out.
One of the malicious indicator is, that you write data to a "remote process". As far as I see, they belong to your software, but maybe the anti-virus doesn't know.

Kind regards,
Matthias