Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Taiga update detected as a trojan? #159

Closed
hopelessperson opened this issue Aug 10, 2015 · 19 comments
Closed

Taiga update detected as a trojan? #159

hopelessperson opened this issue Aug 10, 2015 · 19 comments
Labels
false positive

Comments

@hopelessperson
Copy link

2015-08-10_14-12-05
@TheAlaine
Copy link

Same here.

@betatan
Copy link

betatan commented Aug 11, 2015

Same here, using Nod32 Antivirus 8

@Injabie3
Copy link

8/55 detection on VirusTotal: https://www.virustotal.com/en/file/6ebd9254be96429b70d998830eabbb19cfe3d87834604a5ee968ad7b0e649cbb/analysis/1439256631/

@erengy
Copy link
Owner

erengy commented Aug 11, 2015

It was 2/56 when I first submitted it, went ahead to 8/55 at night, and now it's 7/56... I don't understand why they're classifying TaigaSetup.exe as a trojan, but not Taiga.exe itself. Besides, I haven't changed anything in the setup in the last 5 months.

I've reported the file as a false positive to Avast, Avira, Baidu, ESET, Kaspersky and McAfee. So far, only Kaspersky replied:

Hello,

Sorry, it was a false detection. It will be fixed in the next update.
Thank you for your help.

Sincerely yours,
Chris Zachor,
Junior Malware analyst.

Still waiting to hear back from the others (it can take up to 48 hours, they say). I'm tired of doing this on every new release, though (see: #19).

For those who're rightfully skeptical about the warnings, you can try running TaigaSetup.exe in Sandboxie and see for yourself: It just copies the files to the install location, and creates shortcuts on desktop and the Start menu. You can also examine the NSIS script of the setup here.

All right, ESET replied too:

Dear Eren Okka,

Thank you for your submission.
It is a false positive of our scanner and this issue will be fixed in our next signature update.

Regards,

ESET Malware Response Team

@TheAlaine
Copy link

First thank you very much for this programm, it is a blast and i dont want to manage my anime without it anymore. Glad to here it was a false alarm. And thanks for the quick reply :)

@Aurielle
Copy link

Having the same problem, thanks for the false positive reports. Keep up the good work 👍

@kie8
Copy link

kie8 commented Aug 11, 2015

Having the same problem but with bitdefender. It deleted taiga.exe and I can't even re-install it.

untitled

@TheAlaine
Copy link

Btw after the new signature update on Eset nod 32 you cant even download it anymore, it just blocks the download site. Had to disable the web protection to get it. But then i could install it without problems from eset.

@erengy
Copy link
Owner

erengy commented Aug 11, 2015

@kie8
That's weird because VirusTotal says Taiga.exe is clean according to BitDefender. In any case, I sent them an email now.

@TheAlaine
NOD32 no longer classifies TaigaSetup.exe as malicious, but now it thinks the download link is... I just sent another mail to them, requesting the domain to be whitelisted.

Okay, that was quick:

Dear Eren Okka,

Thank you for your submission.
The site will be unblocked in the next update.

Regards,

ESET Malware Response Team

BitDefender responded too, but haven't given a definitive answer:

Dear Eren Okka,

Thank you for the data provided. We have sent it to our laboratories for specialized analysis. If a false positive is found, detection will be removed in the next 72 business hours. Should you need further assistance in the future, please do not hesitate to contact us.

Thank you,
Bitdefender Customer Care Team

@betatan
Copy link

betatan commented Aug 11, 2015

I added Taiga's folder to exceptions, it's faster. Dunno why nod detects it as this: http://www.virusradar.com/en/Win32_Spy.Zbot.AAO/description

@Injabie3
Copy link

Thanks @erengy, keep us posted 👍

@09eragera09
Copy link

@erengy I use windows defender, and so far I haven't had any problems. Well windows defender is shit, but atleast I can use taiga in peace.

@erengy
Copy link
Owner

erengy commented Aug 12, 2015

Symantec products were detecting Taiga as "WS.Reputation.1", so I submitted an erroneous detection form and received the following response within an hour:

Upon further analysis and investigation we have verified your submission and, as such, the detection(s) for the following file(s) will be removed from our products:

   EFD2EB2C5F2DB03772E4D64914F28FE9 - Taiga.exe

The updated detection(s) will be distributed in the next set of virus definitions, available via LiveUpdate or from our website at http://securityresponse.symantec.com/avcenter/defs.download.html

Please note that whitelisting can take up to 24 hours to take effect.

Avira, which had classified TaigaSetup.exe as "TR/Spy.ZBot.968021", responded after ~25 hours:

File ID Filename Size (Byte) Result
28582352 TaigaSetup.exe 945.33 KB FALSE POSITIVE

The file 'TaigaSetup.exe' has been determined to be 'FALSE POSITIVE'. In particular this means that this file is not malicious but a false alarm. Detection will be removed from our virus definition file (VDF) with one of the next updates.

@Aurielle
Copy link

ESET has already whitelisted the domain and no longer detecting the setup as a virus. Great work 👍

@viddypiddy
Copy link

Windows Defender is detecting it for me now, on Windows 10! Darnit :')
Edit: As Trojan:Win32/Skeeyah.C!plock

@erengy
Copy link
Owner

erengy commented Aug 13, 2015

Is your virus and spyware definitions up to date? Just tried scanning the files with Windows Defender (definition version 1.203.2099.0) and it didn't find any issues, neither on Win 8.1 nor on Win 10.

@ConnorKrammer
Copy link

I'm on Windows 7 using Windows Defender. My definitions are up to date, and Taiga hasn't been flagged as a virus on any of the instances I've updated it.

@viddypiddy
Copy link

My definitions are 1.203.2137.0, even after a manual update, and its still being flagged as malware.

@erengy
Copy link
Owner

erengy commented Aug 14, 2015

Here's our current situation: Avast, Avira, Baidu, ESET, Kaspersky and Symantec no longer detect the latest version of Taiga as malicious. McAfee, Qihoo and Rising still do.

McAfee has changed the classification from "Artemis!A6E427EEE0BF" to "RDN/PWSZbot-FHN", but still insists that the setup is malware. I've already mailed them twice, don't know another try would help.

Qihoo is not exactly a reputable company according to what I've read, but I sent them a report anyway. I think they accepted the false positive:

Dear Sir or Madam,

The file that you’ve submitted has been identified as malicious file(Time: 2015-08-13 16:20:03; Software: TaigaSetup; ID:2058250).

We sincerely appreciate your help of improving our products and services.

Result: Proper actions have been taken. If the false positive happens again, please add it into local Trust List and contact us again with support@360safe.com .

Thanks for your support.

Rising, another Chinese firm, doesn't even have a proper English website. They do have a submission page, though. I've just reported the file, we'll see if it works out.

@erengy erengy mentioned this issue Sep 2, 2015
Closed
@erengy erengy closed this as completed Jan 13, 2016
@erengy erengy mentioned this issue Oct 14, 2016
Closed
@erengy erengy mentioned this issue Dec 12, 2016
Closed
@erengy erengy mentioned this issue Jul 18, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
false positive
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@Aurielle @ConnorKrammer @erengy @viddypiddy @Injabie3 @hopelessperson @TheAlaine @betatan @kie8 @09eragera09