Keka is being flagged by 2 vendors on Virus Total

[paul-cossey]

Configuration

• Keka version: 1.4.0
• macOS version: N/A

Describe the bug

Hi, folks

This isn't really a bug, but not sure where else to submit.

We use AutoPkg to download and automatically upload files to Virus Total for scanning before we add any updated software to our repo for installation on client computers. If Virus Total scans have 2 or more flags by a security vendor, it'll immediately halt the automation for investigation.

The latest version of Keka has been flagged by two vendors which you can see via this URL: https://www.virustotal.com/gui/file/0097bef454b341daaf2cf218c1c527287b4d38500daa35ccb345c7b30a8835fe/detection

I'm pretty sure there are false positives, as the detections look like they're windows based malware.
Trojan.Win32.Save.a
Win.MxResIcn.Heur.Gen

Raising as you may wish to work with the vendors to resolve the detections.

To Reproduce

Steps to reproduce the behavior:

1. Download latest Keka from the Git Hub Releases page
2. Upload to https://www.virustotal.com

Expected behavior

Keka passes all vendor detections on https://www.virustotal.com

Screenshots

Additional context

N/A

[aonez]

Thanks a lot for the info Paul. I’ll check it out. There’re and were some pirated versions of Keka (lord knows why) in the wild that cause this kind of issues from time to time.

…

On Wed, 19 Jun 2024 at 12:43, Paul Cossey ***@***.***> wrote: Assigned #1470 <#1470> to @aonez <https://github.com/aonez>. — Reply to this email directly, view it on GitHub <#1470 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADVHI2BVTBRSGCM6GWTO63ZIFOFJAVCNFSM6AAAAABJRZNK6KVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGIYTIMZRGIYDQMY> . You are receiving this because you were assigned.Message ID: ***@***.***>

[aonez]

Just figured it out, the detected files are 7z.sfx and Rar.sfx. They are new to v1.4.0 and add the ability to create self-extraction files for Windows.

Most probably the detection is caused by the UPX size reduction I've applied to this modules, so will use the uncompressed original versions instead to prevent this kind false positive.

Will release v1.4.1 to fix this right as soon as possible. Thanks again for the feedback @paul-cossey.

[paul-cossey]

Thanks for the swift fix, @aonez 😄

[aonez]

Sadly all official 7z.sfx modules are flagged by 2-4 not that well known antivirus.

[aonez]

I've added the affected modules compressed and encrypted. They're only extracted and used if needed (by enabling the SFX options on 7Z or RAR). The updated version is scheduled for tomorrow. Thanks again @paul-cossey!

[paul-cossey]

Thanks, @aonez 😄