rejetto forum

Software => HFS ~ HTTP File Server => Topic started by: celsup85 on August 28, 2015, 02:06:38 AM

Title: Chrome/Windows Defender Detecting Virus
Post by: celsup85 on August 28, 2015, 02:06:38 AM
Hey guys. When I try to download HFS from the main page I get a virus detected error from Chrome and Windows Defender on Windows 10, but when I go to the forum and download a beta version it works fine and I am able to run it. Was the server hacked or something or is Windows nuts?

(http://i.imgur.com/s4VZ2X0.png)
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: LeoNeeson on August 28, 2015, 05:02:25 AM
Hi, and welcome to the forum! :)

The file checksum of HFS v2.3f Build #294 [July 30, 2015] must be:

Code: [Select]
Filename: HFS.exe
  CRC-32: C75AA32F
     MD4: D859736BE1EC373B8ABB2F97CB8425D9
     MD5: 7312403D4D5767EE6BB72DE7B0A07AF2
   SHA-1: 0201A9B06AF1B7B15BF00420CE439A98609C82FE

You can use HashCheck Shell Extension (http://code.kliu.org/hashcheck/) to check if your file is the correct one.

It's common to many antivirus to flag HFS as "suspicious (https://www.virustotal.com/en/file/5807ee2c3340e642b9cd3c4e0050f1f3c8bdaafaf15453b9dfdca2e7d70fc472/analysis/1440737012/)", since HFS is a file server. But if your HFS executable match the above checksum, you can be sure it's only a "false (http://www.howtogeek.com/180162/how-to-tell-if-a-virus-is-actually-a-false-positive/) positive (http://www.pcworld.com/article/2883692/virustotal-tackles-false-positive-malware-detections-plaguing-antivirus-and-software-vendors.html)" (safe to run).

Download it again, and if Windows Defender continues detecting virus, check the option "Allowed items", but do NOT run yet. Check if your downloaded file matches the above checksum. IF IT DOESN'T MATCH, DO NOT RUN IT!. Report back when you done that, or if it's solved. :)
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: rejetto on August 28, 2015, 11:09:45 AM
even windows defender? this is new to me. And sad -.-
i'm submitting a request to Microsoft right now.
I just hope this won't happen at every new release.
Thanks for reporting.
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: bmartino1 on August 28, 2015, 03:36:25 PM
in windows 10, i can personal say that HFS and Chrome are not virus, i have not had windows defender come up ans say x and x is infected, i would assume an extension in chrome would be the cause, and i would have you double check you system, as the windows defends picks up a registry issue as the virus.. (as seen via the picture in your post)

Windows defends has never "tagged" HFS as a problem, and i've made sure HFS (talking with Microsoft and with reports) wouldn't be flagged as long as "if" it didn't violate x and x rules...(this was done for windows 7 and 8 widnows 10 is still new...) there are other post with HFS was being considers a virus....(false positive)

If you can confirm that it is a false positive, then post the result to Microsoft (only if you double check it! (and confirm that it is a false positive: report it to Microsoft:
https://www.microsoft.com/security/portal/mmpc/developer/resources.aspx

further look into what is being detect also via you picture:
http://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/Skeeyah.C!plock
definition of why it flagged that file (which is a setting as it is located in the "Program datafolder"....) meaning that if it was HFS, the it would show your HFS path...

Trojan:Win32/Skeeyah.C!plock
"Trojans are a type of malware that try to look innocent to convince you to install them on your PC.
They can steal your personal information, download more malware, or give a malicious hacker access to your PC."

since it "stop" with a working new fresh download, there is probably something wrong with your HFS excutable, there fore a trojan or virus that "hijacks HFS" (excutables specficaly), could be at fault here....

http://www.rarst.net/software/image-file-execution-options/
which leads me to believe that you machine may still have that virus...
windows defends done't protect you from everything...

i would recommend you download and install malwarebytes and run a scan on the items and a full system scan...
https://www.malwarebytes.org/downloads/

and also scan your hfs executable by testing it here, there are 2-3 that warn as hfs (as false positive)
https://www.virustotal.com/

you can even use this site to scan the download links to HFS....

so yeah, good luck :)
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: celsup85 on August 29, 2015, 01:18:58 AM
LeoNeeson-

I Couldn't do a checksum because it wouldn't even let me finish downloading the file. The beta build is working fine for me though so I am just gonna stick with it. Thanks for the tip though.

even windows defender? this is new to me. And sad -.-
i'm submitting a request to Microsoft right now.
I just hope this won't happen at every new release.
Thanks for reporting.

Right on. Thanks rejetto. This program is incredibly useful especially while I was testing early versions of a website.

which leads me to believe that you machine may still have that virus...
windows defends done't protect you from everything...

I doubt that. This is a fresh install of 10 with next to nothing on it yet. I was more intrigued by why I did not raise any flags downloading and using the beta build but I encountered the problem with the release version.
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: rejetto on August 30, 2015, 05:35:59 PM
i forgot to say that I experienced the same problem reported by celsup85, and it happened when downloading the exe from the official website. Doesn't happen if you download it from sourceforge (where it is zipped).
The reported exe is safe anyway, i compared it with the one downloaded from SF, and they are the same file.
This should answer some questions.
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: LeoNeeson on August 31, 2015, 06:28:05 AM
@rejetto:

i forgot to say that I experienced the same problem reported by celsup85, and it happened when downloading the exe from the official website. Doesn't happen if you download it from sourceforge (where it is zipped).

:o That sounds weird. As suggestion, maybe you should start posting SHA1/MD5 information along every release (like other developers do) to make sure everyone gets the correct file. I did a test, downloading the EXE file from every known (http://www.rejetto.com/forum/hfs-~-http-file-server/new-version-2-3f/msg1060530/#msg1060530) mirror (outside SF), and all the mirrors are OK (all have the SHA1 = 0201A9B06AF1B7B15BF00420CE439A98609C82FE).

All this leads me to this crazy idea: what if your ISP is caching the file, and serving an infected file? I think this can be solved, setting up a "no-cache" configuration in your server. I don't know exactly how that can be done, but I did some Google searches, here (http://is.gd/yN7Zj4), here (http://is.gd/Y1fzqj), and here (http://is.gd/CjQoNm) (which can be of help). And maybe adding something like this (in the 'rejetto.com/hfs/download' script), prevents the ISP caching system:

Code: [Select]
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="expires" content="0">

There is an open source (https://github.com/mnot/redbot) project/service, called REDbot, which helps (https://zoompf.com/blog/2011/12/redbot-awesome-http-testing) you to make HTTP tests: https://redbot.org/

I'm running out of ideas...
I hope it helps you someway.
Good luck... ;)
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: rejetto on August 31, 2015, 03:48:47 PM
i don't know of ISPs caching files without asking you to configure a proxy in your browser.
Anyway, i don't see how this case could be related to the problem, as i compared the 2 files and there was no difference.
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: bmartino1 on August 31, 2015, 04:10:50 PM
sill don't have an issue, i agree with leonelson on this, i can confirm that neither chrome nor windows 10 claims  fresh download form the official site causes an issue...

so i'll reatacth the same file i downloaded form the same source....
https://drive.google.com/file/d/0B9u5dgydfOEuQnoydFFvV3djSW8/view?usp=sharing
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: LeoNeeson on September 01, 2015, 07:34:09 AM
i don't know of ISPs caching files without asking you to configure a proxy in your browser.
This has nothing to do with a proxy or a setting in your browser. Sadly, many ISP do this automatically and without asking for permission (and without user intervention), to reduce bandwidth (and you don't even notice when they do it).

One link I've posted above (http://is.gd/yN7Zj4), explains it better: "It is a common practice of ISP's to cache any possible file from downloading it again. As an overall result this will save ISP's lots of bandwidth although you paid for your internet download not for ISP to client download".



For example:

> Some Tiscali user asks for the file http://example.com/program.exe. If the ISP (Tiscali) has the file cached, they deliver his cached version (and not the file stored in the example.com server). This way, the ISP saves bandwidth (they do this mostly with data stored in another country, generally to save on international bandwidth traffic).

> Another exaple, some Wind user, asks for the same file, but his ISP is good and doesn't cache any file, so, the user is actually downloading the file directly from the example.com server (and not from the ISP cache).

(Both examples are fictional. I have mentioned ISPs from Italy, but it can be any ISP worldwide. I exactly don't know if those two ISP, are actually caching files)



And here is another article, explaining the difference: "What is browser caching and ISP caching?": https://geekhost.ca/supp/knowledgebase.php?action=displayarticle&id=90

Anyway, i don't see how this case could be related to the problem, as i compared the 2 files and there was no difference.
It may be related (or not), but you can't be 100% sure the ISP cache always delivers a clean file, and to known if the end-user is actually downloading the file from your server or the ISP cache. That's why MD5/SHA1 checksums are important, and mostly important to prevent any ISP to cache the file (using the no-cache setting), IMHO. ;)

so i'll reatacth the same file i downloaded form the same source....
https://drive.google.com/file/d/0B9u5dgydfOEuQnoydFFvV3djSW8/view?usp=sharing
That's good, since HTTPS hosted files generally does not get cached by any ISPs. :)
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: Dave987 on October 27, 2015, 02:02:34 PM
When I loaded 2.3f, Avast and Avira both gave me grief.  When I switched to 2.3g, it did not get flagged, but perhaps the exceptions I added for 2.3f carried over, since it ended up having the same name.  Hard to say unless I experiment.
Title: Re: Chrome/Windows Defender Detecting Virus
Post by: Mars on October 27, 2015, 05:18:18 PM
virus alerts about hfs from the fact that it acts as a web server, and also because sometimes rejetto compress it with upx executable software to take up less space, downloaded from the official site of rejetto, hfs poses no major risk of viral infection