-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False positives i.e. "NOT A VIRUS!!!!!" #95
Comments
Can you please post this on chocolatey? The Virustotal analysis there looks pretty scary, and I saw it after I had already installed the package, so I nearly got a heart attack.) |
Even with the proper founds, I am not sure you will be able to get an EV certificate without a registered company behind the request. |
I think Tap network driver bundle in Openvpn for win also attached their own CA publisher and install that before main driver. Windows would show dialog that requesting to install custom CA |
Pardon my ignorance, but is there a reason you couldn't use an SV CS cert, like the $85 one from Comodo? |
Yes: microsoft would nto accept it and would not counter sign the driver hance windows kernel wouldn't load the driver: |
@DavidXanatos lol so as long as you're a Chinese company you can create malicious drivers, but the perfectly valid FOSS developer gets to suffer. Microsoft 10/10. 🙄 |
Exactly :'( |
No i don't think it is the file should be created in the program folder directly |
I talked to my wife about the code signing; she deals with that at her work. |
I think this would be a better solution. Windows Defender automatically quarantines this driver and probably turns off a lot of people from using it. |
To my knowledge this won't work MSFT does not allow the user on a system that is not in Test Mode to load code into the kernel that is not MSFT approved. Se here: https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm?tx=9 |
Some one else had the same issue, |
So you have a "old school" certificate for direct driver signage? Nice. |
I submitted false-positive check requests to most of the Anti-virus programs that listed SbieDrv.sys as bad, in virustotal.com, and Microsft Defender too. |
@DavidXanatos Correct me if I'm misinterpreting the article, but you'll have to get an EV cert and submit the code to M$? |
I did not get answer yet from them,
Yes that's how it now works, a lot of hassle just to take away a bit more freedom from the users, but there is no easy mass compatible way around it. |
Yes Microsoft. We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.
Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions Thank you for contacting Microsoft. Have a good night, I have to get to bed. |
Fortinet said oops and sorry. 2 software companies didn't want to change their mind, so I pushed back with the Microsoft acceptance. |
I'm playing with installing Sandboxie and telling Eset NOD32 to exclude c:\program files\sandboxie\sbiedrv.sys. |
As it looks its just the SbieDrv.sys file, not sure why it ends up in that temp location though |
I got the same hit in temp folder, which is NOT where sandboxie stored, from Windows Defender last month or so. I could not re-produce it though. |
The file posted above is just the driver however it ended up there its not a reason to worry about as its harmless. |
Eset replied with basically no cert, no pass. |
Avast said that it will continue to mark it bad because of the digital signature was revoked. |
I'm having issues with it working, even when allowed in Windows Defender. I know this post isn't at all helpful with this whole issue but I really hope you can get that certification thingy done sometime soon. |
Again, the new release is marked as a trojan in Windows Defender |
Solve this and sell that stuff for money - Problem solved. |
I tried WD and Avira, and they didn't pass, but Kapersky passed. |
What's the status on the EV? Not to be nosey of course, but it would be nice if there were a more transparently laid out milestone progress indicator somewhere on the funds needed for a annual EV. I would like to donate, but I do want to be sure I'm donating explicitly to the sole purpose of purchasing an EV cert for Sandboxie Plus. Maybe a Gofundme would be more appropriate? |
I agree with @hoffersrc , and think it would be great if there was some sort of way to track towards a goal of an EV. I would also donate to this. |
The EV cert request is very sick, I mean strict (lol |
So since we have an EV now i can close this issue |
Hi @DavidXanatos , However, I'm also concerned about false positives from Antivirus software (Norton/Symantec, McAfee, ...). The How did you solve this (antivirus false positives) for Sandboxie? Kind regards, |
Aside of properly signing the driver and using a generic installer, I did not do anything. IMHO: this all Anti malware fool industry is one huge scam, and apparently with VT Monitor they advanced from selling snake-oil to out right extortion. The EU or US should make them liable for false positives. |
PS: please don't expect to much from the EV Cert we have one from Globalsign for the driver, and I tried what VT says when I sign the sandboxie installers. |
Thank you @DavidXanatos for your quick reply 👍 We don't have installers. Our software is zipped in a
Should we use a generic installer too? Would that help our case (avoiding trigger-happy Antivirus software) - or would it make no difference?
What did VT say? I suppose VT == VirusTotal? Thanks a lot for your help. |
@kristofmulier In my case the problem was VT == VirusTotal reporting substantially more false positives for the installer than for the files contained within it. And strangely only for the 32 bit one. If you have problems with the files themselves changing the installer will presumably not help. Also I don't know if you can even sign a *.pyd file. What did VT say?
So short of complaining with the companies behind those fools that produced false positives I don't think there is a real remedy. The certificate clearly did not impress most of them. Presumably if you sign your files and complain with the companies you may not need to complain each time you make a new release as they may possibly white-list your certificate. |
Hi @DavidXanatos ,
That's what I actually thought - but I'm glad to have your confirmation.
Ugh, that would be terrible! Norton Antivirus flags and auto-deletes all our
Seems like you're right - unfortunately. I still hope there is some deliverance from the VirusTotal
That would be awesome - at least if we could sign our Thanks for your help :-) |
The SbieDrv.sys driver must be signed, and since the appropriate certificates are prohibitively expensive, I head to use a leaked code signing certificate I found laying around the Internets. This means some anti malware applications wrongfully flag it as potentially dangerous or a virus.
If you want SandboxiePlus to get a proper EV-Code Signing Certificate please support the project through donations. You can donate via paypal at https://xanasoft.com/ or patreon https://www.patreon.com/DavidXanatos
The text was updated successfully, but these errors were encountered: