Unknown publisher / company (Windows Defender block HJT)

[ghost]

Hi,
That's me again...
When I start hijack THE FIRST TIME Ms Defender don't want to start it (red dialog) because the software has 'no publisher / company'. It is presented like a virus. that's not good, in the doubt, users can stop and forget it.
I've seen this behaviour after starting the beta to test bug correction.

Regards,

[dragokas]

Hi, BUBBLEIO!

It's not a bug.
In order, UAC window will show Publicher/Company only in case binary is digitally signed with valid certificate. Valid authenticode certificate cost near 200 $.

In order, Ms Defender recognizes new unknown software as safe if it is signed by so called EV (extended validation) certificate. It cost near 400$.

Since, personally for me there is no special need to have certificate for one single and freeware software, it's a huge money here in Ukraine. So I don't planning to buy it.

Currently, my digital signature is self-signed (mean, self-issued) and can be confirmed in file properties:
by fingerprint - 05F1F2D5BA84CDD6866B37AB342969515E3D912E.
and serial number - f4dbdd6e9c3591ac4a5c39e95a82536f

Here is statistics: https://www.herdprotect.com/signer-alex-dragokas-f4dbdd6e9c3591ac4a5c39e95a82536f.aspx

Verification check will fail with error: "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider." It's normal, and mean binary is successfully passed integrity check, but cert. is not trusted.

Alternatively, you can install my certificate in the root storage by clicking file properties -> digital signatures -> Details -> View certificate -> Install certificate... In such case Publisher/Company will be shown in UAC window.

Also, every test or public build surely passes VirusTotal check before uploading by default.

Since, currently, it's not possible to resolve MS Defender false-positive (in general, for all future binaries),
fow now, I'll not close this case, maybe, another people face with the same issue.

However, after each public release (v.3+) we'll try to send sample to Microsoft.
Thanks for the reporting.

[ghost]

OK clear. I wasn't aware of this level of requirement for windows which are NOT a SERVER version. Your position is totally logic. Stay like this...

[dragokas]

I leave this issue open, so, everyone don't ask the same again.
And considering that issue is not resolved.

[gywerd]

There must be something wrong. Windows can't run the binary, when downloaded directly. The zipped version contained Trojan:Win32/Spursint.F!cl according to Windows Defender and was removed. And Visual Studio fails to clone while resolving 810/816 deltas. I usually never experience that. And it makes recompiling impossible. There is no problem with 2.0.5 Beta from sourceforge. Consequently, there must be something in the code, which triggers the problem. And surely noone would dare using it for the purpose of getting rid of malware, with such an issue.

[dragokas]

Hi, gywerd!

There must be something wrong. Windows can't run the binary, when downloaded directly. The zipped version contained Trojan:Win32/Spursint.F!cl according to Windows Defender and was removed.

There is nothing wrong. Windows defender is very suspicious to any new file without valid signature. I can offer to look in VirusTotal instead.
If you would like to help with resolving false positives, please, send sample by this link: https://www.microsoft.com/en-us/wdsi/filesubmission
(column Submission -> Software developer (registration required))
I'm not going to send Microsoft every time on my own, considering the fact MS usually takes a very long time to make decisions. New version of HJT come faster at that time.
If I see any detection on VT, in such case I'm usually sending a sample on my own.

And Visual Studio fails to clone while resolving 810/816 deltas.

I am not expert in different GitHub stuff. So, I can't answer why this bug happen. I even don't know how to reproduce it. You don't need VS to download the project. It can be downloaded without problems by button "Clone or download" in this page or via git bash. If you are expecting problems when trying to compile my project, please, open new issue and describe in details. Project can be compiled without any problem directly via VB6 IDE (build 9782), launched as elevated (just sometimes need to repair reference to Microsoft MSComCtl.dll), or via 2_Make&UPX&_Sign.cmd file (you will have binary identical to mine (just without my EDS).

[dragokas]

Everybody who accidentally detect the false positives of the antivirus on our HiJackThis Fork, please report to the appropriate antivirus company according to their form or e-mail.

Most of them you can find in this topic: https://safezone.cc/threads/kuda-soobschit-o-lozhnom-srabatyvanii-antivirusa.23501/

Or, leave comment in this topic.
Note: the more people send email, the more chances and faster they will remove false positives.

Thank you.