FFASTtrans 1.2.0 Virus detected

[3dsasha]

My windows defender shows exe_manager.exe and exe_manager_x86.exe as Trojan:Win32/Zpevdo.B. Virustotal shows problems:

[emcodem]

Yeah, if you test ffastrans.exe it will most likely be the same number of detections.
We are currently looking into getting a (paid per yer) software signing certificate and i guess there will be a new patched release when we have it.
We can only hope that this helps.

Until then, everyone must unfortunately just exclude the whole ffastrans directory from on-access scanning.

[Willob]

Any change, or impending change, having issues with ipsec in a large environment,
Files flagged
rest_service (win malware nymeria 9957673-0 & downloader agent win32 464104)
ffastrans.exe (downloader agent win32 464104)

[FranceBB]

Any change, or impending change, having issues with ipsec in a large environment,
Files flagged
rest_service (win malware nymeria 9957673-0 & downloader agent win32 464104)
ffastrans.exe (downloader agent win32 464104)

Hi Willob,
first of all Merry Christmas and Happy New Year.
Second of all, we can confirm that even in the new version, it's still a false positive.
We try our best to avoid being detected by antiviruses and as a matter of fact, we've been trying to get everything converted to .a3x from .exe and have as close as possible to one centralized exe, namely FFAStrans.exe, however we of course need to have an exe for the rest APIs and therefore the rest_service.exe and in fact the two exes are what your antivirus revealed as viruses (even though they're not), while giving a pass on all the .a3x.

Unfortunately there's little we can do as we can't sign our executables and therefore some antiviruses consider them "dodgy" as in the past unsigned executables have been used by hackers across the world to do some bad things.
There's one thing you can do, however, as a member of this community and that is to report them as false positive to your antivirus firm so that they can check it, analyze it and come back to you saying that it's really not a virus.
This will help other members of the community using the same antivirus as the one you use 'cause FFAStrans will be whitelisted in the next definitions update.


I hope you have a lovely new year and welcome to the forum!

[emcodem]

...Unfortunately there's little we can do...

Actually there is a lot we can do - we did a lot in the past and we keep on doing a lot. E.g. exe_manager.exe 1.3.1 has 2 of 71 detections on virustotal.com, i'd call that an improvement compared to the 21/70 in the screenshot above

One very important thing that comes to my mind is that we should provide MD5 values for the downloaded binaries because we can never guarantee that the files that users download are the same that we uploaded. It is very unlikely but still possible that the files on the webservers have been altered or the files are altered locally on a potentially already infected OS.

Anyway, actually i wanted to explain about the term Frank uses above:

Code: Select all

signing

"Code signing" would be the very best bet that exists on this world, this is how professional programs usually dodge false positives today. The problem with it is that the procedure to get a corresponding certificate is very tedious and costly. It is something that you don't do for fun but for commercial stuff only. Also the costs for it are starting at about 200,- per year. When @admin attempted to get a code signing certificate, the authorities just digged far to deep into his private life if i remember correctly.

On a personal note: It is a shame that these days you have to pay a fee because otherwise antivirus will detect your program as false positive. That's mafia style and totally unacceptable practice. Everyone knows that nearly all A/V detects 99.9 false positive but nobody kicks their asses for it... Those A/V Vendor suckers should fix their buggy code instead of making the others pay yearly fees!

@Willob if you tell me the exact ffastrans version that you use, i can send you the MD5 of the exe's so you can confirm that they are what we actually uploaded.

[Willob]

Thank you for the great explanations. I better understand the breadth of the issue.
ffastrans 1.3.0.2.7z
ffastrans.exe ver 1.3.0.38
rest_service.exe ver 1.3.0.76
exe_manager.exe ver 1.3.0.55

[emcodem]

MD5 was made using powershell commandline:

Code: Select all

PS C:\Users\emcodem> Get-ChildItem -Path C:\temp\md5 -Recurse  | Get-FileHash -algorithm md5

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             C530FF5AF79BE54290EE6106606EE998                                       C:\temp\md5\exe_manager.exe
MD5             01D724B53EAEEBAAFED08729A7BBA685                                       C:\temp\md5\FFAStrans.exe
MD5             BEC2CC746A22DE03654618D69BC0BE89                                       C:\temp\md5\FFAStrans1.3.0.2.7z
MD5             B758D341CA6D0788F7156255F1682B1C                                       C:\temp\md5\rest_service.exe