False malware detection by Bkav Pro: W32.AIDetectMalware.64

[1GodRage]

Problem: Malware detected.

https://www.virustotal.com/gui/file/cd1ca7e9a9f985afb1f8dfea9dad106bb4b18eb991e253c9993249035dfad10b/detection
cubiomes-viewer-3.3.0-w64.exe
Bkav Pro: W32.AIDetectMalware.64

Solution: in case of false positive, send the zip to https://www.bkav.com/contact-us

[69b69t]

compile from source and check that file. probably virustotal being weird

…

On Sun, Oct 8, 2023, 1:05 PM GodRage ***@***.***> wrote: *Problem:* Malware detected. https://www.virustotal.com/gui/file/cd1ca7e9a9f985afb1f8dfea9dad106bb4b18eb991e253c9993249035dfad10b/detection *cubiomes-viewer-3.3.0-w64.exe* Bkav Pro: W32.AIDetectMalware.64 *Solution:* in case of false positive, send the zip to https://www.bkav.com/contact-us — Reply to this email directly, view it on GitHub <#262>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVRMB4NANFZSLTNGN7S7TCLX6MBPFAVCNFSM6AAAAAA5X43QZ2VHI2DSMVQWIX3LMV43ASLTON2WKOZRHEZTEMBUHE3TOMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[1GodRage]

Compiling skill is out of my domain. (And I've heard that some compilers are the source of Trojans...)
But scanning any file before downloading is in my domain.
Virustotal being weird? What do you mean?

[Cubitect]

This is curious since all the releases up to 3.2.1 are fine.

I have not changed my build setup at all for the releases, so Bkav Pro must take issue with some of the changes between 3.2.1 and 3.3.0. My best guess is that its caused by the bundled translation files that were added for the internationalization. When I get some time, I'll try confirm this or identify the change that caused it.

In case anyone is really worried and wants to replicate the binary:
I'm using a virtual machine of Windows 10 Home (20H2) that's dedicated for these releases, with a static build of Qt.
To compile Qt I followed the, by now outdated, instructions on the wiki, with:

• MinGW 8.1.0 from its sourceforge page
• Qt 5.15.3 sources, cloned from git://code.qt.io/qt/qt5.git

My Qt build options were:

$ perl init-repository --module-subset=default,-qtwebengine
$ configure -static -opensource -confirm-license -opengl -recheck-all -nomake tests -nomake examples -skip qtwebengine

[Cubitect]

After some experimentation I've determined that the false positive is triggered by the biome lookup table in the cubiomes library.

My initial assessment suspecting the changes between 3.2.1 and 3.3.0 was based on VirusTotal not reporting issues wíth release 3.2.1. However, it appears that W64.AIDetectMalware was added to the list of scanners relatively recently and the result of a previous scan was cached. The "Reanalyze" feature on the website also does not work as expected.

Since this is not directly an issue with Cubiomes-Viewer but with the cubiomes library (or rather with the virus scanners), I'll close this issue in favor of Cubitect/cubiomes#110.

[Cubitect]

I have tried some test builds without the biome lookup table and with large parts of the program removed, and the false malware detection by Bkav Pro persists. I now suspect that the very use of Qt triggers the issue. In any case, the cubiomes library may not be sole problem after all, so I'll reopen this issue of now.

I have reported the false detection to Bkav.

[Cubitect]

I have not got a reply from Bkav, but the issue seems to be resolved. At least version 4.0 is no longer is flagged on VirusTotal:
https://www.virustotal.com/gui/file/aa48b4d461136a2a9af9dc2441ab1b3bd44dde3fbfc1ef4c041bc8ff5ba9a07a