EverythingPT installer flagged by anti-virus

[tristansly]

Malwarebytes is quarantining EverythingPT in the temp folder🐛 xx

To Reproduce
Start machine

Expected behavior
Nothing?

Screenshots

[lin-ycv]

Exe or zip? Nothing I can do about the exe file.

[tristansly]

really? idk just letting you know. Sent from Proton Mail Android

…

-------- Original Message --------

On 5/26/24 1:11 AM, Lin Yu-Chieh (Victor) wrote: Exe or zip? Nothing I can do about the exe file. — Reply to this email directly, [view it on GitHub](#110 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/ADY3GN74KTPF6AEZRXGQF6LZEGKJVAVCNFSM6AAAAABIJR2JJOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZSGEZDIMRSGE). You are receiving this because you authored the thread.Message ID: ***@***.***>

[lin-ycv]

this happens after you press yes on the update dialog correct? that's the exe file.

There's nothing I can do about this, the main issue is that I don't have a digital certificate to sign the exe file, as certs costs hundreds of dollars per year.
Most AV will flag exe files as potentially dangerous if:
A) it's not commonly downloaded
B) it's not digitally signed

For EPT both cases are true, so many will flag it as dangerous.
Either you trust it and press allow, or you use the ZIP file instead.

[Anamon]

Just as a note, yesterday's installer for v0.86.0 is now also flagged by Microsoft Defender (definition Trojan:Script/Wacatac.H!ml).

No doubt, the ml means this was "detected" by an "AI". I wonder if these snake oil vendors realise what kind of damage they're doing to the security awareness of the public at large. This GenAI nonsense in security software has led to such an unfathomable torrent of bogus detections, that most people have reached the point where any alert is considered to be a false positive by default… </rant>

[f22raptorroland]

Detailed report from Hybrid-Analysis
@lin-ycv

[lin-ycv]

@f22raptorroland
Like I said before, there's not much I can do, addressing the suspicious indicators with higher relevnace:

• Dropped file has high entropy: compressed png images
• Drops executable files || Writes a PE file header to disc: extracting EPT and everything dll files to disk
• Calls an API typically used for keylogging: not sure why the installer is monitoring shift, 1, 2 and 4 keys, NSIS is probably using it for when there's a popup window.
• Marks file for deletion || Opens file with deletion access rights: I don't know what nszFF45.tmp is, probably something NSIS needs for extraction
• CRC value set in PE header does not match actual value: Everything64.dll is from Everything's SDK, I have no control other it.
• Timestamp in PE header is very old or in the future: have no idea why that date is from the future, these files are compiled by VS

Summary: basically most of the triggers are things from NSIS or Everything's dll file, neither of which I have control over.

[gabriel-vanca]

I'm also getting a virus alert from Microsoft Defender, but it's a different signature.
I wasn't getting any errors with the previous versions.

[gabriel-vanca]

And here is the Virus Total report: https://www.virustotal.com/gui/file/52d303fe985ce2bc3476c56234236588cf1b17c2d28352d2ce39761fd39b637a/detection

[Anamon]

The biggest joke in this Hybrid-Analysis report is that it has only a few spurious, very unsuspicious indicators for malicious behaviour, and only 1 in 25 virus scanners complaining about it, yet somehow it has a threat score of 100%. You'll find the explanation in the "runtime notifications" all the way at the bottom: "Enforcing malicious verdict, as a reliable source indicates high confidence".

In other words: we looked at this file in depth and don't think there's anything particularly suspicious about it, but Microsoft's ML model says it's malware, so this must be the most dangerous file ever!

The entire security software industry is made up of clowns.

[EazyCheeze1978]

Chiming in I got this notification from Defender as well, the Wacatac.h!ml thing. So the consensus is that this is a false positive detected by AI/heuristics? Okay, that does make me feel better. I couldn't imagine not having Everything at a moment's notice :) Thank you for this plugin - I do appreciate it greatly!

[SoCuul]

@lin-ycv You could potentially look into Azure Trusted Signing. It's pretty new, but it provides signing certificates for only $9.99 per month. https://azure.microsoft.com/en-us/products/trusted-signing

[Anamon]

Chiming in I got this notification from Defender as well, the Wacatac.h!ml thing. So the consensus is that this is a false positive detected by AI/heuristics? Okay, that does make me feel better. I couldn't imagine not having Everything at a moment's notice :) Thank you for this plugin - I do appreciate it greatly!

Yes; also, it only applies to the installer, not any of the files it installs. If you're worried, as lin-ycv mentioned earlier, you can extract the ZIP file into the PowerToys Run plugin directory to get the same effect without any warning.

[tristansly]

Hey this is off topic but do you guys have anything that gives you search results within the flow window? I had the Google search Plus extension and that used to work but I don't want to search through Google and it stopped working. Looking for something that returns web results within the flow window

[tristansly]

Also I had a wacatac infection and it was no joke lol. Freaking pain in the beehive