version 1.9 marked as virus #211
Comments
|
Thank You for the Issue. I will try to get to look at it as soon as I can. |
|
I got the same problem! Microsoft Defender constantly flags "docto.exe" as Adware (Adware:Win32/DealPly!MSR) and deletes the file, which causes automatic jobs to silently fail... |
|
Thanks, I'm unsure how to fix this issue. Adware is a new one, I'm unsure why it would show as adware. Can you add an exception in your microsoft defender setttings? |
|
Apparently it can be submitted as false positive to help with avoiding this. https://www.microsoft.com/en-us/wdsi/filesubmission I will do this, but if anyone else on this thread was willing to do it also it would be very helpful. |
|
Did this right away! Interestingly the status of the submission is now "Rejected" (after only ten minutes or so) - haven't got any emails about it yet. Keeping you updated! |
|
It's kind of wild. Is it possible that something is creating another version of the file? My executable definetly isn't doing all these things. It says it's contacting 9 ip addresses ? I don't know how that is possible from the code! |
|
Maybe I should check what has changed between 1.8 and 1.9 |
|
There seem to be a huge amount of heuristics I'll try to remove urls (mostly in comments) from code and resources to see if that improves it |
|
Where is the information with the 9 contacted ip addresses from? That sounds very wild. |
|
If you look at this link posted above https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070 |
|
Ah, I see. From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts? |
|
Both Windows Defender and Malwarebytes are flagging 1.9 and 1.10 as Wacatac.B!ml or Neshta.Virus.FileInfector.DDS. 1.8 seems fine. |
|
Also getting flagged by Trellix on my PC, unfortunately. |
|
Same here, windows just delete exe(without warning or any message) after interaction from user with it(execution, help, etc). 1.8 works fine |
|
This problem occurred when running the program on the second PC, while on the first PC (Windows 10 pro 21H2 19044.1586) version 1.9 runs without problems. |
|
in my case exe can be stored in directory without problem, but when I run "docto --help" this show no info in console(mb new line symbol), then in 3-5 seconds windows/defender delete exe file from disk. |
|
I have just released v1.11 I have make a few small changes to see if I can avoid it being marked as a virus, but probably they will have no effect. I'm closing this for now. |
|
works for me! thanks, @tobya! |
Has it stopped marking it as a virus for v1.11? |
Windows has stopped delete exe file after interaction with it(docto --help for example). Yes, new 1.11 version. I don't know mark it or not as virus. |
|
@digitalcoyote if you had a moment to push 1.11 https://github.com/tobya/DocTo/releases/tag/v1.11 to chocolately that would be great. The 2 files are docto_32.zip and docto_64.zip both containing just the Hopefully this will have some effect on the false positives. |
|
I think it should be set to check for a new release every 12 hours. I'll double check that it is and update here when it's through Chocolatey moderation. |
|
AU picked up the release, it passed verification and is waiting on the virus scan. |
Lessons Learnt.Dont use the word |
|
unfortunately the issue now affects all latest versions incl. v1.12 |
|
Hi @tobya, please reopen this issue since it seems to be a real issue. The exe opens connections to IPs, which are known to do bad things like brute force or portscans. So I would argure even these IPs are in the MS IP range they could be a non trustable customer Azure instance. |
|
ok. thanks. |
|
I will see if I can build on a new machine. If concerned you can use an earlier version or build from source. |
|
Thanks - what would I need to build that from source? Unfortunately my pascal knowledge is from pre windows century 😉 |
|
It builds very easily in any version of Delphi from 7 onwards. I'm fairly sure you could build it with the free community edition of Delphi that you can download from the Embarcadero website. I'll try to put up a note on the readme on how to build. |
|
thank you @tobya, I'll try that and if there is more how to - even better. Just realized: embarcadero removed the download for unknown reason ... |
Version 1.12I build this on a blank machine Seems to be better If you have any other scanner please run it through it. @hi-ko |
|
I have released v1.14 which is the same as 1.12 but built on a clean machine. |
|
Thanks for your effort, but I think your assumption was too fast: if you open your link now, it is marked as malicious. Maybe the tests had not been completed when you checked that report - especially the sandbox tests done show network activity to ips which should not been seen as trustworthy. Question is: what is calling home and where this is coming from ... The behavior is at least not what someone would expect from a simple cli tool not having a use case to talk to the internet and 3 of the IPs are reported for portscans. |
|
Since there's a lot of trouble around those ominous addresses, I'm once again stating my above-mentioned theory: “From a quick research (PTR) on those addresses, they all seem to point to Microsoft services or Akamai clusters. Could it be that Virustotal just lists all connections that are outgoing from the VM, and those connections are windows internal diagnostics and telemetry hosts?” EDIT: Checking the latest “docto.exe” with hybrid-analysis.com gives the following results: https://www.hybrid-analysis.com/sample/4d42b9eea689ec508c295552b4985afb8e29772638888affda4291da2c7175e2/65ce6eeb72c8be5ae2050d12 |
|
Indeed, when checking 7z.exe not the same but similar IPs are contacted. |
|
Thank you both. I think this continues to be a false positive. Which makes me feel better as I don't then have a malware injecting virus on my home machine. This software does (obviously) connect via com to Word and office, mentions macros in the exe, but this is what it is supposed to do. I wonder is it simply that the nature of what it does means it rings a lot of bells for scanners. Hopefully it will still install for some people |
|
Some success: MS seems to no longer handle docto as malware. I submitted a false positive case and they agreed to review the files. Today MS Defender did not complain any more downloading and executing v1.14.!
|
Describe the bug
Version 1.9 is flagged as virus by microsoft defender and many other vendors https://www.virustotal.com/gui/file/d3d9bc59a1f7dc41fa32c3170af3314fd6fe63ff2b018ec1ac7156d06404b070
Where as version 1.8 is only flagged by 4 insignificant vendors
https://www.virustotal.com/gui/file/039be27cc016cc23069f233d96920e530498bbc72b79e0c1ac979d56a9f59cf5
To Reproduce
Download version 1.9 docto.exe
The text was updated successfully, but these errors were encountered: