Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VirusTotal false positive? #46

Open
SleepDaemon opened this issue Nov 20, 2023 · 21 comments
Open

VirusTotal false positive? #46

SleepDaemon opened this issue Nov 20, 2023 · 21 comments

Comments

@mjishnu
Copy link
Owner

mjishnu commented Nov 23, 2023

As expressed in #44 the answer remains same, these are all false positive by the malware scanner and for skeptical folks i would suggest build from source.

@mjishnu
Copy link
Owner

mjishnu commented Dec 20, 2023

UPDATE (v2.6.8): This false positive is caused because pyinstaller is used by many bad actors to supply malware. The fix i used is to compile the bootloader myself even though it does reduce the false positive detection from 14 to 4 it doesn't complete remove them so hence the new virus total report, The only permeant fix is to digitally sign the app but it requires a paid license

@mjishnu mjishnu changed the title VirusTotal 14 flags, false positive? VirusTotal false positive? Dec 20, 2023
@edgeofinnerspace
Copy link

UPDATE (v2.6.8): This false positive is caused because pyinstaller is used by many bad actors to supply malware. The fix i used is to compile the bootloader myself even though it does reduce the false positive detection from 14 to 4 it doesn't complete remove them so hence the new virus total report, The only permeant fix is to digitally sign the app but it requires a paid license

check out laragon - not sure if you can sign with your own signature but it does have the capability built in to the services it comes with - im not a dev so i am not sure how all that works. but i have also seen software for windows for signing and distributing and it was meant to be a free tool as well as open source. it was several years ago but i will see if i can find it.

@mjishnu
Copy link
Owner

mjishnu commented Dec 22, 2023

UPDATE (v2.6.8): This false positive is caused because pyinstaller is used by many bad actors to supply malware. The fix i used is to compile the bootloader myself even though it does reduce the false positive detection from 14 to 4 it doesn't complete remove them so hence the new virus total report, The only permeant fix is to digitally sign the app but it requires a paid license

check out laragon - not sure if you can sign with your own signature but it does have the capability built in to the services it comes with - im not a dev so i am not sure how all that works. but i have also seen software for windows for signing and distributing and it was meant to be a free tool as well as open source. it was several years ago but i will see if i can find it.

isn't largon for web apps can you build python app more specifically pyqt apps with it? btw if you do find something that can digitally sign the app please do tell me thanks!

@mjishnu mjishnu pinned this issue Jun 19, 2024
@mjishnu mjishnu mentioned this issue Oct 2, 2024
@Adhjie
Copy link

Adhjie commented Nov 16, 2024

I forgot the app name but there is an app that signed their app signature locally, to bypass the expensive signing cert.
msys2 repo could be add as trusted cert to avoid wget error.
Obtainium uses AppVerifier, though the main method is to verify it with apksigner tool or app. but thats mobile i think.
AppVerifier itself is verified using 'apksigner'. The hash is posted at different place from the internet as to distrust or make it more objective.
Oh yeah, I've just remembered it. It's also used by Accrescent.
not sure, is there an equivalent to apksigner in desktop environment?
Breezy Weather wins the false positive case somehow, surprisingly, great, not so lucky for the rest of devs that I mentioned here:
reference:
Adhjie/Adhjie-Discussion#10
edit:
forgot to mention NVCleanstall method to bypass patched part ( nvidia-patch ) of the app into nvidia driver. this is hacky but it works to bypass NVIDIA consumer GPU card limitation.

@edgeofinnerspace
Copy link

hey, yes what i was thinking of was a desktop software, if i remember right, it may have been by the same dev that makes BCUninstaller (BullCrapUninstaller), actually now that I mention that, this does sound about right. i have it on my other laptop. i've been too anxious to turn it on for almost two years now because of some unexplainable issues it is having. ...but i guess i should turn it on and find that software. if you know anything about why a windows 10 laptop would be writing what, at first glance, duplicate files and directories to somewhere on the harddrive. but it was doing it so fast, the laptop i had for 4 years without using 50% of the terabyte drive had only about 10% left after a single weekend. and i only noticed it by chance. otherwise it wouldve been full. tried restarting, obviously, i thought it was something to do with sandboxie but after logging in, the black screen after sign in immediately before desktop finally loads and becomes visible, instead stays black and explorer never starts - but if i launch it through other programs which i must use shortcuts/hotkeys to do, the file manager still open for file open/save dialogs, etc, but still no explorer, start bar, etc...

so i just had to turn it off. but i will boot it and find that software tonight.

by the way, what are you working on with pyqt? i am torn between building the app im working on with something like NodeGraphQT, Ryven, Pyflow or something similar but i just cant really code. i made a sniper bot that runs on python though. on like 9 chains i think. now i am trying to build a visual editor to use for creating auto trading strategies on a node graph interface. those were the python libraries/projects i was interested in. but all of them so far, are incomplete and devs have seemed to abandon them. the javascript node graph platforms i'm considering are either complete with extensive docs and full API reference, etc and one most likely wont even need anymore updates because it was built that well. its just all so far over my head trying to do things like build custom web3 nodes with no documentation. so right now i'm almost done rescusing eth.build which is also sadly abandon.

and yes, laragon can be configured to run just about whatever, i wish i COULD code because of software i stumble upon like this. i think most people are under the impression that its more for web apps or guys who host their own stuff using PHP but i think its just because thats really the only circle of devs it is known within by more than just a few people and for that reason people in other domains just never take a deeper look. i am under the impression it can be extended to do whatever. i use it as a sandbox and for environment/de[endency isolation on a laptop that doesnt have WSL so no containers... and any development related tasks or software it is basically my dev mode launcher ,d.^^b_,

but, you can use it for nodejs projects, it comes with python, node, its own vs code (which all run and much faster than system/user installed versios because not using windows services but laragon's. you can set it to launch vs code from whatever URL pointing to a .zip file you want really. build and launch packages/projects/repos by selecting them from its main toolbar and it lets you set your own custom url , for instance, for quickly sharing or showcasing a prototype but with something cooler than a localhost and port # address hah.

im rambling. let me find that software though.

@edgeofinnerspace
Copy link

code
shareproject
quickapp

@mjishnu
Copy link
Owner

mjishnu commented Nov 18, 2024

hey, yes what i was thinking of was a desktop software, if i remember right, it may have been by the same dev that makes BCUninstaller (BullCrapUninstaller), actually now that I mention that, this does sound about right. i have it on my other laptop. i've been too anxious to turn it on for almost two years now because of some unexplainable issues it is having. ...but i guess i should turn it on and find that software. if you know anything about why a windows 10 laptop would be writing what, at first glance, duplicate files and directories to somewhere on the harddrive. but it was doing it so fast, the laptop i had for 4 years without using 50% of the terabyte drive had only about 10% left after a single weekend. and i only noticed it by chance. otherwise it wouldve been full. tried restarting, obviously, i thought it was something to do with sandboxie but after logging in, the black screen after sign in immediately before desktop finally loads and becomes visible, instead stays black and explorer never starts - but if i launch it through other programs which i must use shortcuts/hotkeys to do, the file manager still open for file open/save dialogs, etc, but still no explorer, start bar, etc...

so i just had to turn it off. but i will boot it and find that software tonight.

by the way, what are you working on with pyqt? i am torn between building the app im working on with something like NodeGraphQT, Ryven, Pyflow or something similar but i just cant really code. i made a sniper bot that runs on python though. on like 9 chains i think. now i am trying to build a visual editor to use for creating auto trading strategies on a node graph interface. those were the python libraries/projects i was interested in. but all of them so far, are incomplete and devs have seemed to abandon them. the javascript node graph platforms i'm considering are either complete with extensive docs and full API reference, etc and one most likely wont even need anymore updates because it was built that well. its just all so far over my head trying to do things like build custom web3 nodes with no documentation. so right now i'm almost done rescusing eth.build which is also sadly abandon.

and yes, laragon can be configured to run just about whatever, i wish i COULD code because of software i stumble upon like this. i think most people are under the impression that its more for web apps or guys who host their own stuff using PHP but i think its just because thats really the only circle of devs it is known within by more than just a few people and for that reason people in other domains just never take a deeper look. i am under the impression it can be extended to do whatever. i use it as a sandbox and for environment/de[endency isolation on a laptop that doesnt have WSL so no containers... and any development related tasks or software it is basically my dev mode launcher ,d.^^b_,

but, you can use it for nodejs projects, it comes with python, node, its own vs code (which all run and much faster than system/user installed versios because not using windows services but laragon's. you can set it to launch vs code from whatever URL pointing to a .zip file you want really. build and launch packages/projects/repos by selecting them from its main toolbar and it lets you set your own custom url , for instance, for quickly sharing or showcasing a prototype but with something cooler than a localhost and port # address hah.

im rambling. let me find that software though.

largon seems nice but it can't digitally sign for free right 🥲, and if you do find the software tell me and regarding your pc idk i have never heard of such a scenario maybe some malware infected ur pc or idk maybe some win update busted it up. if you really want to fix it my opinion is to boot up linux using a thumb drive copy important data then format ur pc that is if you are not using bit locker if you are then your options are limited.

and currently i am not working on any pyqt apps i am currently rewriting this app to a winui app you can learn more about it from here (#60, #68) and if you want to build using pyqt here is a great repo for pyqt ui widget

@mjishnu
Copy link
Owner

mjishnu commented Nov 18, 2024

I forgot the app name but there is an app that signed their app signature locally, to bypass the expensive signing cert. msys2 repo could be add as trusted cert to avoid wget error. Obtainium uses AppVerifier, though the main method is to verify it with apksigner tool or app. but thats mobile i think. AppVerifier itself is verified using 'apksigner'. The hash is posted at different place from the internet as to distrust or make it more objective. Oh yeah, I've just remembered it. It's also used by Accrescent. not sure, is there an equivalent to apksigner in desktop environment? Breezy Weather wins the false positive case somehow, surprisingly, great, not so lucky for the rest of devs that I mentioned here: reference: Adhjie/Adhjie-Discussion#10 edit: forgot to mention NVCleanstall method to bypass patched part ( nvidia-patch ) of the app into nvidia driver. this is hacky but it works to bypass NVIDIA consumer GPU card limitation.

i will check these repos out btw if you do remember the app name it would be great help that would reduce my research time

@edgeofinnerspace
Copy link

yea, i haven't found it yet and have been too busy to start with my other laptop because it will need to have very tedious even in safe mode. i just downloaded last of recovery tools i needed though.

in the meantime, i stumbled on this completely randomly about an hour ago, which is weird - because, i haven't read all of this but it may be another option than the software i have. i am not sure if it could be used for python too? i suppose once it's already in an executable format it wouldn't matter...
https://www.electron.build/win.html

@edgeofinnerspace
Copy link

from JSign:

Signing with AWS Key Management Service
AWS Key Management Service (KMS) stores only the private key, the certificate must be provided separately. The keystore parameter references the AWS region. Setting the AWS_USE_FIPS_ENDPOINT environment variable to true will ensure the FIPS endpoint is used.
The AWS access key, secret key, and optionally the session token, are concatenated and used as the storepass parameter; if the latter is not provided, Jsign attempts to fetch the credentials from the environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN) or from the IMDSv2 service when running on an AWS EC2 instance.
In any case, the credentials must allow the following actions: kms:ListKeys, kms:DescribeKey and kms:Sign.
The alias parameter can specify either the key id or an alias.

       --keystore eu-west-3 \
       --storepass "<access-key>|<secret-key>|<session-token>" \
       --alias 12345678-abcd-1234-cdef-1234567890ab \
       --certfile full-chain.pem application.exe```
       
       
How the certificate part is handled, I do not know - but AWS Key Management is also part of their free tier with around 20k requests per month.
Azure Key Vault, for instance, requires two roles being created: "Key Vault Crypto User" and "Key Vault Certificate User".

I've almost mustered up the courage to boot up this other laptop now that I have all the software. If it's not completely done for I'll get that software I first mentioned though.

@edgeofinnerspace
Copy link

edgeofinnerspace commented Nov 23, 2024

Why don't you use cert one already in Windows? Though, I'm sure you would eventually or even now would want your own...

If you see in the picture in the bottom right > Microsoft states that it can verify the publisher, which is you. Microsoft is only the issuer.

cert1

I don't recall at the moment how or why I had this one which is now expired. But you should be able to atleast try with powershell ^6. Copy one of the certs from certmgr.msc with 'code signing' as intended purpose to you personal > certificates store and see if it's possible...

PS C:\> $cert = Get-PfxCertificate C:\Test\Mysign.pfx
PS C:\> Set-AuthenticodeSignature -Certificate $cert `
            -Filepath C:\Build\extraordinary.dll `
            –TimestampServer “http://tsa.starfieldtech.com"

percert

@mjishnu
Copy link
Owner

mjishnu commented Dec 1, 2024

Why don't you use cert one already in Windows? Though, I'm sure you would eventually or even now would want your own...

If you see in the picture in the bottom right > Microsoft states that it can verify the publisher, which is you. Microsoft is only the issuer.

cert1

I don't recall at the moment how or why I had this one which is now expired. But you should be able to atleast try with powershell ^6. Copy one of the certs from certmgr.msc with 'code signing' as intended purpose to you personal > certificates store and see if it's possible...

PS C:\> $cert = Get-PfxCertificate C:\Test\Mysign.pfx
PS C:\> Set-AuthenticodeSignature -Certificate $cert `
            -Filepath C:\Build\extraordinary.dll `
            –TimestampServer “http://tsa.starfieldtech.com"

percert

hey i was kinda busy so didn't get time to check but how does this work doesn't i need a valid certificate for this where can i get it.

@edgeofinnerspace
Copy link

hey, it's called Application Verifier, if I'm looking at the right one but I will look on external drive too.

sorry, I don't know where to see notifications for this and only know how to get here via searching for the email from GitHub about last reply...

@edgeofinnerspace
Copy link

Why don't you use cert one already in Windows? Though, I'm sure you would eventually or even now would want your own...
If you see in the picture in the bottom right > Microsoft states that it can verify the publisher, which is you. Microsoft is only the issuer.
cert1
I don't recall at the moment how or why I had this one which is now expired. But you should be able to atleast try with powershell ^6. Copy one of the certs from certmgr.msc with 'code signing' as intended purpose to you personal > certificates store and see if it's possible...

PS C:\> $cert = Get-PfxCertificate C:\Test\Mysign.pfx
PS C:\> Set-AuthenticodeSignature -Certificate $cert `
            -Filepath C:\Build\extraordinary.dll `
            –TimestampServer “http://tsa.starfieldtech.com"

percert

hey i was kinda busy so didn't get time to check but how does this work doesn't i need a valid certificate for this where can i get it.

there are certificates included by default in the Microsoft cert store utility for windows. some specifically for code signing. if you read any of the certificates for code signing stated purpose carefully the (cert) issuer and the (code) publisher are not required to be the same entity. you would be the publisher that uses an issuer's certificate for it's stated purpose. I'm not sure why this isn't mentioned anywhere unless no one has noticed this

d.x_X.b

@Adhjie
Copy link

Adhjie commented Dec 12, 2024

I might be useless, because IDK the apksigner and reproducible build guide equivalent in python.
But these are my drafts of suggestions:

Use a signed Sha cert or something like apksigner like from this AppVerifier Readme.md (IK this from Obtainium readme.md)

Reproducible build is indeed hard in python, I just found out there's even a subreddit for RP, it is possible by F-Droid and accrescent with varied mix of RP vs app store signed cert only, which is not ideal yet.
Feel free to search more verifier app like AppVerifier or Android apksigner CLI. And RP.
Here are the quotes and searches about either cert signing, Sha hash verification, and/or reproducible build.

(Sorry for the rough draft, I'm currently on mobile and is not at home)

Adhjie/Adhjie-Discussion#4 (my exposition on hypatia, virustotal, or other aspect)

Forgot to mention VirusTotal integration, check the link, Autoruns by sysinternals dev and AppManager by MuntashirAkon has built-in VirusTotal.
Final boss would be VirusTotal in UniGetUI, if it ever gets implemented.

https://news.ycombinator.com/item?id=36349478

https://www.google.com/search?q=how%20to%20make%20a%20python%20app%20in%20windows%20reproducible%3F&ie=utf-8&client=firefox-b-m

https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/2023-10-01-all.md

https://discuss.grapheneos.org/d/14452-how-to-explain-why-accrescent-over-f-droid/31

https://www.google.com/search?q=accrescent%20reproducible%20build&ie=utf-8&client=firefox-b-m

https://accrescent.app/faq#verifying1.

It can also be found on a Bluesky post to distrust the website. It is encouraged to verify it's the same with other people as well for assurance.
------diff quote starts
The package name and SHA-256 hash of the signing certificate is below, so you can verify AppVerifier with apksigner using apksigner verify --print-certs AppVerifier-X.Y.Z.apk if you are downloading the APK. If you are downloading from Accrescent then you should verify Accrescent itself here.

DO NOT use AppVerifier to verify itself!
Also DO NOT use AppVerifier to verify Accrescent if you downloaded AppVerifier from it.

https://github.com/soupslurpr/AppVerifier

AppVerifier - App verification tool (recommended, integrates with Obtainium)

https://www.google.com/search?q=reproducible%20build%20for%20python%20based%20desktop%20app&ie=utf-8&client=firefox-b-m

https://developer.android.com/tools/apksigner

Alternative.to is for alternative but by specifying the OS selection, I think equivalent or counterpart between programming languages app could be searched.
There's also sourceforge, honestly, I'm not sure after reading hackernews, stack exchange and others about the difficulties in making python app reproducible.

Oh yeah, msys2 pacman also needs the msys2 cert by exporting it to msys2 from browser security page with the lock in Firefox, it's along with tracking protection icon. (No auto currently last time I use it , not sure if this is just import export or count as self signed)

Edit 2:
Is the option in NVcleanstall to bypass nvidia-patch by keylase warning, count as hacky thus not safe, and not a viable option to cert sign?

Tl;dr.
https://www.google.com/search?q=self%20sign%20app%20in%20windows%20with%20the%20issuer%20being%20microsoft%3F&ie=utf-8&client=firefox-b-m
Is the options in the above link possible?

@mjishnu
Copy link
Owner

mjishnu commented Dec 12, 2024

Application Verifier

are you taking about this Microsoft Application Verifier this seems to be a tool for finding security flaws is it possible to sign with it ?

there are certificates included by default in the Microsoft cert store utility for windows. some specifically for code signing. if you read any of the certificates for code signing stated purpose carefully the (cert) issuer and the (code) publisher are not required to be the same entity. you would be the publisher that uses an issuer's certificate for its stated purpose. I'm not sure why this isn't mentioned anywhere unless no one has noticed this

Can you elaborate on this i have never heard of such, if possible, can you provide steps on how i can do this it's my first time signing an app all i heard is you need to pay so i am a total noob.

@edgeofinnerspace btw i too only get notification when i check my mail the GitHub mobile app doesn't give notification for some reason at least for me

@mjishnu
Copy link
Owner

mjishnu commented Dec 12, 2024

I might be useless, because IDK the apksigner and reproducible build guide equivalent in python. But these are my drafts of suggestions:

Use a signed Sha cert or something like apksigner like from this AppVerifier Readme.md (IK this from Obtainium readme.md)

Reproducible build is indeed hard in python, I just found out there's even a subreddit for RP, it is possible by F-Droid and accrescent with varied mix of RP vs app store signed cert only, which is not ideal yet. Feel free to search more verifier app like AppVerifier or Android apksigner CLI. And RP. Here are the quotes and searches about either cert signing, Sha hash verification, and/or reproducible build.

(Sorry for the rough draft, I'm currently on mobile and is not at home)

Adhjie/Adhjie-Discussion#4 (my exposition on hypatia, virustotal, or other aspect)

Forgot to mention VirusTotal integration, check the link, Autoruns by sysinternals dev and AppManager by MuntashirAkon has built-in VirusTotal. Final boss would be VirusTotal in UniGetUI, if it ever gets implemented.

https://news.ycombinator.com/item?id=36349478

https://www.google.com/search?q=how%20to%20make%20a%20python%20app%20in%20windows%20reproducible%3F&ie=utf-8&client=firefox-b-m

https://gitlab.com/obfusk/fdroid-misc-scripts/-/blob/master/reproducible/2023-10-01-all.md

https://discuss.grapheneos.org/d/14452-how-to-explain-why-accrescent-over-f-droid/31

https://www.google.com/search?q=accrescent%20reproducible%20build&ie=utf-8&client=firefox-b-m

https://accrescent.app/faq#verifying1.

It can also be found on a Bluesky post to distrust the website. It is encouraged to verify it's the same with other people as well for assurance. ------diff quote starts The package name and SHA-256 hash of the signing certificate is below, so you can verify AppVerifier with apksigner using apksigner verify --print-certs AppVerifier-X.Y.Z.apk if you are downloading the APK. If you are downloading from Accrescent then you should verify Accrescent itself here.

DO NOT use AppVerifier to verify itself! Also DO NOT use AppVerifier to verify Accrescent if you downloaded AppVerifier from it.

https://github.com/soupslurpr/AppVerifier

AppVerifier - App verification tool (recommended, integrates with Obtainium)

https://www.google.com/search?q=reproducible%20build%20for%20python%20based%20desktop%20app&ie=utf-8&client=firefox-b-m

https://developer.android.com/tools/apksigner

Alternative.to is for alternative but by specifying the OS selection, I think equivalent or counterpart between programming languages app could be searched. There's also sourceforge, honestly, I'm not sure after reading hackernews, stack exchange and others about the difficulties in making python app reproducible.

Oh yeah, msys2 pacman also needs the msys2 cert by exporting it to msys2 from browser security page with the lock in Firefox, it's along with tracking protection icon. (No auto currently last time I use it , not sure if this is just import export or count as self signed)

Edit 2: Is the option in NVcleanstall to bypass nvidia-patch by keylase warning, count as hacky thus not safe, and not a viable option to cert sign?

thanks for the information's i will check them out

@Adhjie
Copy link

Adhjie commented Dec 12, 2024

Oh yeah, IK there's mono for android implementation of .NET of windows from ExifEraser and move to the active ExifToolGUI.

not sure if it's possible for the reverse, I guess, I'll stop here since I don't think searching counterpart is easy.

SD Maid SE and Czkawka had rewrites their apps but IDK how they handle signing certificate.
Oh yeah check out my answer in obtainium about virustotal.

A lot of devs are actually affected by AVs even MS Defender, especially small devs that had no powers against big AVs company.
Just to list some: sysinternals is totally fine, but NirSoft launcher is not.
Crowdstrike in enterprise settings flagged UniGetUI, etc.

@edgeofinnerspace
Copy link

edgeofinnerspace commented Dec 13, 2024

test.zip
Screenshot_20241213_103544

is this the kind of thing youre missing? also, i attached an empty file named test.exe in the zip. do you have a way to see if its signed? i attempted it...

@edgeofinnerspace
Copy link

perhapsi used the wrong key type though

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants