Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bitdefender blocks installation and quarantines the .exe and .ink #138

Closed
iuliangcata opened this issue Jan 6, 2016 · 20 comments
Closed

Comments

@iuliangcata
Copy link

Very strange, my Bitdefender AV (free edition) has got crazy. It threats the program like a very nasty virus, lol. Also, Windows Smart Screen too blocks installation. Can it be signed somehow ?

@shibumi
Copy link

shibumi commented Jan 10, 2016

I think the best solution would be to contact bitdefender and label it as 'false-positive'.

@Jookadin
Copy link

Not sure if i should create my own issue, but Bullguard anti-virus also treats the temp files as a threat and quarantines them, causing the installer to fail.

@annejan
Copy link
Member

annejan commented Jan 12, 2016

It all comes down to the same issue.
The windows trust model is broken . .

I have no idea how to go about obtaining a microsoft code signing certificate . .
Anyone want to push me in the right direction?

@Jookadin
Copy link

Hhmm, windows for one, warns about the file, but i can run the installer anyway, and windows doesnt do anything after that.
The issue might be how the installer runs? bullguard at least, only quarantines the tmp files, not .exe

@annejan
Copy link
Member

annejan commented Jan 12, 2016

Windows warns about the file because I don't pay the Microsoft Maffia code signing cert and it's not a popular enough app to be included default . .

I have not heard about bullguard, is it a popular computer-slow-down-application?

Anyways . . all jokes aside . .

Since I have not used Windows in the last 15 years, I know very little about it's security-through-nagging systems and popular on-access blacklist and sometimes-heuristics-based pseudo-security applications.
I might be interested in signing the code, application and installer, but I'm not willing to invest much time into finding out which hoops I have to jump through to have this app be "trusted" on the Windows platform. Already had an offer of some(one/company) paying for (part of) the MS code signing certificate fees.

This will also slow down the release cycle, since currently the builds are handled by an external service.
https://ci.appveyor.com/project/annejan/qtpass I probably don't want that to have my code signing (private) key . .

If anyone has experience in this field, please let me know.

I would love to prevent having to buy a Windows licence for a virtual machine, set that shit up, get a code-signing key and invest even more time I will never get back into supporting this backward, extortionist non-free platform . .

@mrseeker
Copy link

I checked it with virustotal, got no alarm bells going off, not for bitdefender, not for microsoft, not sure about bullguard.

https://www.virustotal.com/en/file/7f5c2ec57a718123a9ce5d787fdd98e99db009b0c935ba0158783c7dbb887b8b/analysis/1452611237/

Compare the SHA256 with the file I submitted for screening, might be possible that your internet is compromised or that this is simply a case of a false-positive.

About the "windows smart screen": Check if you have "unblocked" the file (explorer -> right click on file -> properties -> unblock). This is a default blockade when you download unsigned files from the internet and have your security settings set too high.

@annejan
Copy link
Member

annejan commented Jan 12, 2016

Just for fun I scanned the installed files . .

https://www.virustotal.com/en/file/7ec6c41aecf6b0f1b976e4788c2514d3679b7ac0c2e502013f59eb3117c9cd88/analysis/1452613742/
qtpass.exe ^= false positive Gen Malware Variant Razeta

Which is apparently a common false positive . .

The rest seems "clear" of any false positives or malware . .

https://www.virustotal.com/en/file/9576b334bb0800dc5132c57c36807149287b7f32c0139dc2ecf8ed4f54ccacc1/analysis/1452613969/
https://www.virustotal.com/en/file/d4fe73f2e3a7639222fc7eccf806a0731ddae804f6ddca86ca641133aea559ea/analysis/1452614036/

The Qt .dll were already scanned (some with obfuscated names apparently) but are also clean . .

https://www.virustotal.com/en/file/f409260e206cd6150756cad196dfb9f444cd3bec09117245ac2bff4de0a5e784/analysis/
https://www.virustotal.com/en/file/8bf02ebcb732d23c94529a0f6b8702f82bf459fe0e1dcd641b404884ca41db57/analysis/
https://www.virustotal.com/en/file/e4de14d3c2a884e7324163ec708251d76f19c97abef67345880f35ccaacdf105/analysis/
https://www.virustotal.com/en/file/ae75915e188909a4538064a64dacb21b7f659036449d28e9276a10d26456e315/analysis/
https://www.virustotal.com/en/file/8d7473b2419efce0cf8baa7718e1f9128b8bbb30221e52b4dd0b4d2c3279f9b1/analysis/
https://www.virustotal.com/en/file/e135ea3570731efd6537890407ea33f4d7019a7e607de2331a6f0074df43a62e/analysis/
https://www.virustotal.com/en/file/ba3fb70f589d5b765d011ff03d76e0918653fa5b25adde6d296fd0ef0513ec78/analysis/
https://www.virustotal.com/en/file/745983f9fefa2b835b638bd82ebb643b6056fa97ad09210a316bb1911170d8aa/analysis/
https://www.virustotal.com/en/file/194c9681e1543bcb528ae6e49f7095454b0506b08a0cb7316d06a40413ae3b61/analysis/
https://www.virustotal.com/en/file/f0614835136413217ed3baec9ba22aaac4c37956afcb0209f1f89b7676ae86bc/analysis/
https://www.virustotal.com/en/file/f6530962659d0641236a42517a30dc55c4fcb7d30e942c3e820af343798a770d/analysis/
https://www.virustotal.com/en/file/4195ac1e3a4a8056de42c31d511e0e595772439adba96180b8953ef5f135f7a5/analysis/
https://www.virustotal.com/en/file/6e6488cbbae657b74c177030b1efc0140c57b506d36c8b132c80fb502cb26046/analysis/

I scanned both the 54 and 53 version of some .dll's (from earlier builds)

I'll go and report the false positive to the affected AV companies later today . .

@iuliangcata
Copy link
Author

I was not insinuating, in fact I was sure it has to be a stupid false positive. I am using the free version of Bitdefender so it might be slightly different from the commercial one. I believe they don't provide support for the non paying customer :). Anyway, the windows signing it not that big of a deal, but it depends on the type of user. You have to click the "More Information" button/link sometimes to reveal the "Install anyway" button. That's not a problem for me, but I think there should be a wiki somewhere showing this step to the casual user.

@annejan
Copy link
Member

annejan commented Jan 18, 2016

Yes, completely agree..
I'll get to redressing the qtpass.org site as soon as I find some time.

I've submitted False Positive reports to:

  • Lavasoft Ad-Aware
  • Bitdefender
  • F-Secure
  • MicroWorld-eScan
  • Qihoo-360

The rest were using engines from the above or didn't have (sane) ways of reporting false positives.

Also having a chat about signed binaries this weekend.

@annejan
Copy link
Member

annejan commented Jan 22, 2016

Back down to only 2 scanners with a false positive, since most vendors updated their definitions.

https://www.virustotal.com/en/file/7ec6c41aecf6b0f1b976e4788c2514d3679b7ac0c2e502013f59eb3117c9cd88/analysis/

Unfortunately the latest (pre-1.1) build is giving the same false positives.
https://www.virustotal.com/en/file/8a2c7926cc8f4ad7a4ab3bb7ce3c965d6bb180803a095ca55f7c4bdf72878c1a/analysis/

I'm submitting another set of reports, this time asking if they have a hint as to what bit of code or assets is causing the issue.

@iuliangcata
Copy link
Author

👍

@annejan
Copy link
Member

annejan commented Jan 25, 2016

The last 5 builds have been issue free, seems escalating helped 🎯
(latest) https://www.virustotal.com/en/file/77fd52c411c2d8ebb3c218e848a7a0c235118551f48e6b5cc8a043db64fc6ab5/analysis/1453714752/

@annejan
Copy link
Member

annejan commented Jan 25, 2016

I'm closing this issue and opening a new one about signed binaries #149

Keeping an eye out and will make sure next release (probably 1.1) will be cleared before it is released.

@annejan annejan closed this as completed Jan 25, 2016
@annejan
Copy link
Member

annejan commented Jan 25, 2016

@annejan
Copy link
Member

annejan commented Apr 4, 2016

And the false positives are back for v1.1.1
https://www.virustotal.com/en/file/5d6666b6013dddac007f127ced413a1c4ccc56b97f8a505cf1fc8905a583f3d6/analysis/1459762116/

@annejan annejan reopened this Apr 4, 2016
@annejan
Copy link
Member

annejan commented Apr 4, 2016

Submitted to:

  • BitDefender
  • F-Secure
  • Lavasoft Ad-Aware
  • MicroWorld-eScan

@annejan
Copy link
Member

annejan commented Apr 5, 2016

4 down, 4 left to go . .
https://virustotal.com/en/file/5d6666b6013dddac007f127ced413a1c4ccc56b97f8a505cf1fc8905a583f3d6/analysis/1459840647/

ALYac (uses bitdefender)

AegisLab and Rising seem to have weird submit forms which imply the files are suspect or mallicious.
Will have a look at them later.

Submitted to:
Qihoo-360 (360totalsecurity)

@annejan
Copy link
Member

annejan commented Jun 1, 2016

@annejan
Copy link
Member

annejan commented Jun 20, 2016

Even though I have not automated uploading to virustotal with AppVeyor yet, I'm closing this issue, since it is in my (not yet public) release routines . .

@annejan annejan closed this as completed Jun 20, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants