rejetto forum
Software => HFS ~ HTTP File Server => Topic started by: rejetto on May 26, 2016, 03:34:41 PM
-
i've just sent this message to bitdefender
Dear sirs, it is unfortunate that your product is reporting mine as being "unsafe".
You can check at https://sourceforge.net/projects/hfs/malware
and see that the files are reported as "a variant of Win32/Server-Web.HFS.A potentially unsafe application"
my software is called HFS and is a web server, the original one not a variant, and it's perfectly safe.
I would appreciate to be informed on the reasons that led you to mark it as "unsafe".
Best regards,
-
Nothing really worrying if we refer to the majority of detections ;)
result of online scan at https://virusscan.jotti.org/en-US
Name: hfs rejetto.zip
Size: 1.03MB (1,078,385 bytes)
Type: Zip archive
First seen: May 26, 2016 at 6:35:25 PM GMT+2
MD5: 9798035fc1ecd1114a4100438837b021
SHA1: 0e615c489988900581b4ea6738e173e698957485
Status: Scan finished. 2/19 scanners reported malware.
Scan taken on: May 26, 2016 at 6:35:27 PM GMT+2
Lavasoft Ad-Aware May 26, 2016 Found nothing
Arcabit AntiVirus May 26, 2016 Found nothing
Avast! Antivirus May 26, 2016 Found nothing
AVG May 26, 2016 Found nothing
Avira AntiVir May 26, 2016 Found nothing
BitDefender Antivirus May 26, 2016 Found nothing
ClamAV May 26, 2016 Found nothing
Dr. Web May 26, 2016 Found nothing
MicroWorld eScan May 26, 2016 Found nothing
ESET May 26, 2016 Win32/Server-Web.HFS.A
Fortinet May 26, 2016 Found nothing
F-PROT Antivirus May 26, 2016 Found nothing
F-Secure Anti-Virus May 26, 2016 Found nothing
Ikarus May 26, 2016 Found nothing
Kaspersky Anti-Virus May 26, 2016 Found nothing
Quick Heal May 25, 2016 RiskTool.HFSServerWeb.A10
Sophos May 26, 2016 Found nothing
Trend Micro Antivirus May 25, 2016 Found nothing
VBA32 May 25, 2016 Found nothing
result of online scan at http://www.virscan.org/scan
Scanner Engine Ver Sig Ver Sig Date Scan result Time
ahnlab 9.9.9 9.9.9 2013-05-28 Found nothing 4
antivir 1.9.2.0 1.9.159.0 7.12.93.198 Found nothing 16
antiy AVL SDK 2.0 1970-01-01 Found nothing 30
arcavir 1.0 2011 2014-05-30 Found nothing 8
asquared 9.0.0.4799 9.0.0.4799 2015-03-08 Found nothing 1
avast 160525-0 4.7.4 2016-05-25 Found nothing 37
avg 2109/11781 10.0.1405 2016-05-23 Found nothing 1
baidu 2.0.1.0 4.1.3.52192 2.0.1.0 Found nothing 4
baidusd 1.0 1.0 2014-04-02 Found nothing 1
bitdefender 7.58879 7.90123 2015-01-16 Found nothing 1
clamav 21604 0.97.5 2016-05-25 Found nothing 2
comodo 15023 5.1 2016-05-25 Found nothing 3
ctch 4.6.5 5.3.14 2013-12-01 Found nothing 1
drweb 5.0.2.3300 5.0.1.1 2016-05-24 Found nothing 53
fortinet 34.915, 34.915, 34.915, 34.915 5.4.233 2016-05-26 Found nothing 1
fprot 4.6.2.117 6.5.1.5418 2016-02-05 W32/Felix:CO:Delphi!Eldorado 1
fsecure 2015-08-01-02 9.13 2015-08-01 Found nothing 6
gdata 25.6707 25.6707 2016-05-25 Found nothing 8
hauri 2.73 2.73 2015-01-30 Found nothing 1
ikarus 1.06.01 V1.32.31.0 2016-05-25 Found nothing 13
jiangmin 16.0.100 1.0.0.0 2016-05-25 Found nothing 1
kaspersky 5.5.33 5.5.33 2014-04-01 Found nothing 19
kingsoft 2.1 2.1 2013-09-22 Found nothing 3
mcafee 7879 5400.1158 2015-07-31 Found nothing 8
nod32 1777 3.0.21 2015-06-12 Found nothing 1
panda 9.05.01 9.05.01 2016-05-25 Found nothing 4
pcc 12.548.07 9.500-1005 2016-05-25 Found nothing 1
qh360 1.0.1 1.0.1 1.0.1 Found nothing 6
qqphone 1.0.0.0 1.0.0.0 2015-12-30 Found nothing 1
quickheal 14.00 14.00 2016-05-24 RiskTool.HFSServerWeb.A10 2
rising 26.20.01.02 26.20.01.02 2016-05-24 Found nothing 4
sophos 5.17 3.60.0 2015-08-01 Found nothing 7
sunbelt 3.9.2671.2 3.9.2671.2 2016-05-23 Found nothing 2
symantec 1.3.0.24 Found nothing 1
tachyon 9.9.9 9.9.9 2013-12-27 Found nothing 3
thehacker 6.8.0.5 6.8.0.5 2016-05-23 Found nothing 1
tws 17.47.17308 1.0.2.2108 2016-05-25 Found nothing 6
vba 3.12.26.4 3.12.26.4 2016-05-25 Found nothing 4
virusbuster 15.0.985.0 5.5.2.13 2014-12-05 Found nothing 15
-
@Rejetto: Oh, don't worry, like Mars said, those false positive are just a minority.
Just thinking loud: maybe if you "sign" your .exe, all the Antivirus false positive could be gone, since "they" would know for sure that's "your release" and not a "variant" released by someone else.
Normally this is not (http://www.thegeekstuff.com/2010/03/microsoft-digital-signatures/) free (http://windowsitpro.com/security/q-whats-easiest-way-digitally-sign-internally-developed-applications-executable), but searching on Google "Signing EXE files for free", I did get this (https://www.digicert.com/util/), this (https://developer.mozilla.org/en-US/docs/Mozilla/Developer_guide/Build_Instructions/Signing_an_executable_with_Authenticode), and this (https://www.globalsign.com/en/code-signing-certificate/code-signing-tool/) info.
-
strange, in your scans bitdefender is not reporting risks.
sourceforge claims is using it.
i don't think "variant" is the key word here, just some security tools stating that HFS is "risky" stuff, and i don't see why.
It's neither about the scripting capability, as it was introduced in 2.3 and this story started before it.
-
most "high business end company" like defended / macfee / norton / karspaky will flag a program due to the fact of its ability to open a socket and run a server.
in this case, bit defend saw that it was opening a web server for http, there a rule in the programs virus search definitions to detect that, and so the program was flaged.
it bad virus scan defention that caused it to be flaged, nothing to due with HFS it self...
-
I guess antivirus companies are not very friendly with open source programs. And they see every server as a potential risk, and even more if it's open source, since anyone can build your own copy. If you can sign your .exe easily, go ahead, since you will gain the trust from Antivirus companies, and they can't come with that 'variant' excuse anymore. But like I've said, I don't see the point to be worried for just 2 or 3 false positives.
-
do you mean they flag every bloody server out there?
i don't think so.
the false positives worry me when it's a very common antivirus doing it.
-
They mainly automate his antivirus engines, so, IMHO if you digitally sign your .exe, they can easily add permanently an exception on your program (since they will check your signature in future versions, and if it match yours, they can be sure it's safe). If they find an 'unsigned' exe, they can safely mark it as 'variant'. It has logic, since it adds trust (https://en.wikipedia.org/wiki/Code_signing). I think the signature is important for them (especially on open source apps). Ask them if signing the program will change things or not.
> More info on how to digitally sign executables, here (http://windowsitpro.com/security/q-whats-easiest-way-digitally-sign-internally-developed-applications-executable), here (http://stackoverflow.com/questions/3128205/how-can-i-digitally-sign-an-executable), here (http://stackoverflow.com/questions/252226/signing-a-windows-exe-file) & here (http://www.excelsiorjet.com/kb/34/howto-digitally-sign-executables-and-installers-produced-by-excelsior-jet). The hard part is to find a free certificate authority (CA) that issues code signing certificates (most of them are only for SSL/TLS server authentication). Certum.eu (https://www.certum.eu/certum/cert,offer_en_open_source_cs.xml) has Open Source Code Signing for €14. I really don't know if it's worth all the trouble of digitally signing the program, but the decision is yours. ;)
-
It is unlikely that adding a security certificate makes the antivirus as mildest, once a opensource software is subject to change in bad intensions, viral suspicion is perhaps hfs.exe be due to be a signature corresponding to code from a library used to run the program, so that no information on the detection method will be clarified, there will always be alerts from antivirus
-
Well, it was just an idea. If digitally signing doesn't change things, then, I think there is nothing that can be done to change this situation. :-\ My suggestion is don't start 'playing their game' (about 'fear'). If they want to say HFS is a virus, then is a virus for them. For the users, having access to the source code and disabling or adding an exception is enough (at least for me).
There is even a movie about this... ;D
(click on the image to enlarge)
(http://i.imgur.com/mOL4Hnht.jpg) (http://i.imgur.com/mOL4Hnh.jpg)
Talking seriously, this should not happen, but it's their fault. On old versions, you were using UPX to compress the file, and then you stopped using it because the antivirus were giving false positives on its use. Then antivirus were happy for a while. And now some antivirus are unhappy again. Who can understand them?...
WARNING: All the text written here is a parody of life. Any similarity with reality is purely coincidental. "I've lost my trust on antivirus long time ago. And I'm 100% sure if HFS had a good backdoor from 'you know who', then it will be clean for every antivirus out there. Look Win10, it's a spyware in all of his glory, and you will not find a single antivirus saying "your system is infected", right after being installed. Antivirus are out there for profit, and not always to protect your computer. It piss me off all this situation. There are three kind of things I hate in the computer industry: hackers, antivirus, and virus makers (life would be a dream without all them). If you start playing the game with any of them, you'll loose for sure. I'm glad ReactOS is coming for saving us all (at least they are trying). And if ReactOS fails, then is Linux."
-
probably because uncompressed, the size of the executable is four times larger
it gives them more work, suddenly they are not happy
they must necessarily take revenge in one way or another ;D ;D
-
I guess antivirus companies are not very friendly with open source programs. And they see every server as a potential risk, and even more if it's open source, since anyone can build your own copy. If you can sign your .exe easily, go ahead, since you will gain the trust from Antivirus companies, and they can't come with that 'variant' excuse anymore. But like I've said, I don't see the point to be worried for just 2 or 3 false positives.
i recommend ditalg signing, but that won't stop AV from detecting it as a "virus / risk ware" ... i know many site and bad programs that are digitaly signed, but they are still bad progrmas and scammers... digtal signing just means you took the time to give the program your "contact" information...
in the long run it not necsay....
-
probably because uncompressed, the size of the executable is four times larger
it gives them more work, suddenly they are not happy
they must necessarily take revenge in one way or another ;D ;D
LOL, that surely was the problem! ;D
i recommend ditalg signing, but that won't stop AV from detecting it as a "virus / risk ware" ... i know many site and bad programs that are digitaly signed, but they are still bad progrmas and scammers... digtal signing just means you took the time to give the program your "contact" information...
in the long run it not necsay....
Thanks for the info, so Digital Signing is useless for this problem.
I've found two articles explaining this 'old' big problem with antivirus:
- Antivirus companies cause a big headache to small developers. (http://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/)
- An open letter for Antiviral software companies. (http://autohotkey.com/board/topic/29203-an-open-letter-for-antiviral-software-companies/)
-
14€ (+tax) /year would be ok, but it takes time.
i will consider it when i have some time.
thanks ;)
-
I am seeing this also with Windows 10 defender and Malwarebytes.
Trojan:Win32/Spallowz.A!cl
Alert level: Severe
-
I am seeing this also with Windows 10 defender and Malwarebytes.
Trojan:Win32/Spallowz.A!cl
Alert level: Severe
i have seen that one too, what i have found is that the hfs file downloaded was form a "ISP cache" site that had a bad version and was corrupted...
(i have worked with Microsoft "live/ defense(defender) /security essential / ms anti spyware) - the up to date official download done't get claimed as a "Trojan / virus / risk-ware / etc....
lorgarth , i would recommend you to try to re download, if have to , will place a google download link like before (https) cant' be sync-seeded via the ssl certs renewal process, so its harder for an ISP to "cache the site.....
the problem / why this topic was started was that AV program are giving a false positive...
I can 100% be sure that there is not a problem with the latest build...
-
bmartino1, i noticed that you are making lots of typos lately. A martini spilled on your keyboard?
-
:) :P ...
yeah yeah... most of my time on the forum is late at night, i'm a bad typist.. on top of tired and dyslexic... i will try to fix what i can...
-
bmartino1, i noticed that you are making lots of typos lately. A martini spilled on your keyboard?
You nailed it right on the spot!... ;D
yeah yeah... most of my time on the forum is late at night, i'm a bad typist.. on top of tired and dyslexic... i will try to fix what i can...
Don't worry, I personally understand what you write. But this is a problem for those who need to use Google Translator (I'm not referring to Rejetto since he knows English), but there are russians, germans and chinese in this forum who need to use a translator, and they can't get the translation done properly. May be you should use some extension for your browser, that lets you automatically correct any typos fast and easy. ;)
Look here: LanguageTool (https://github.com/languagetool-org/languagetool) (for Firefox) (https://addons.mozilla.org/en-US/firefox/addon/languagetoolfx/) & (for Chrome) (https://chrome.google.com/webstore/detail/languagetool/oldceeleldhonbafppcapldpdifcinji)
Like you say: "I'm only trying to help, I mean, no offense." :P
-
i have seen that one too, what i have found is that the hfs file downloaded was form a "ISP cache" site that had a bad version and was corrupted...
(i have worked with Microsoft "live/ defense(defender) /security essential / ms anti spyware) - the up to date official download done't get claimed as a "Trojan / virus / risk-ware / etc....
lorgarth , i would recommend you to try to re download, if have to , will place a google download link like before (https) cant' be sync-seeded via the ssl certs renewal process, so its harder for an ISP to "cache the site.....
the problem / why this topic was started was that AV program are giving a false positive...
I can 100% be sure that there is not a problem with the latest build...
The download I pulled was from here, or I thought it was. I will try again and see what I get.
From the link on http://www.rejetto.com/hfs/?f=dl I get the save from http:rejetto.webfactional.com I also got a download link from a .cz page. both pages flagged the download as Win32.Spallowz.A!cl infected.
Tried a third time from http://www.melauto.it same thing flagged. :(
-
https://drive.google.com/open?id=0B9u5dgydfOEueENzajBhY3F5SG8
hfs 2.3 i ...
exe...
try this...
strangeness even the download(as i also tested it...) form a clean hfs off the https of my google drive is causing this...
although, i believe it to be something in Chrome , try using Firefox (fire fox worked properly on the https link and the official rejeto download link...
all clear via scan for the link.... (definitely google browser....)
https://www.virustotal.com/en/url/f4cc586f9017dfce3f23e1349357212660c5ae687942ca803599208431ee201c/analysis/1467737565/
-
https://drive.google.com/open?id=0B9u5dgydfOEueENzajBhY3F5SG8
hfs 2.3 i ...
exe...
try this...
strangeness even the download(as i also tested it...) form a clean hfs off the https of my google drive is causing this...
although, i believe it to be something in Chrome , try using Firefox (fire fox worked properly on the https link and the official rejeto download link...
all clear via scan for the link.... (definitely google browser....)
https://www.virustotal.com/en/url/f4cc586f9017dfce3f23e1349357212660c5ae687942ca803599208431ee201c/analysis/1467737565/
The file you linked came up clean, both with Malewarebytes and Windows Defender.
thanks
-
lorgarth: Just out of curiosity, what's your ISP? (Internet Service Provider). Because what happened to you, it's your ISP's fault. Well, I'm glad you solved.
-
lorgarth: Just out of curiosity, what's your ISP? (Internet Service Provider). Because what happened to you, it's your ISP's fault. Well, I'm glad you solved.
I have TDS telecom
-
I have TDS telecom
Thank you. This happened to some other user in the past, as you can read here (http://www.rejetto.com/forum/hfs-~-http-file-server/chromewindows-defender-detecting-virus/). Usually ISP caches files from HTTP (https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol) links, but not from HTTPS (https://en.wikipedia.org/wiki/HTTPS) (SSL). This explains why a file hosted on Google Drive (hosted on HTTPS), get download "cleanly" on your side. You can read an explanation on how ISP caches files, here (http://www.rejetto.com/forum/hfs-~-http-file-server/chromewindows-defender-detecting-virus/msg1060583/#msg1060583).