It's bizarre that meldc.exe and meld.exe should get different results. They're nearly identical content-wise (literally a few characters different) -- lending even more credence to the idea that this is a false positive (in case you weren't already convinced :) ). As for why UPX/MPRESS, I did it because it's what Ahk2Exe does by default when compiling scripts to exes. Ahk2Exe comes with an option to disable MPRESS, but it didn't seem to make much of a difference (I got the same hash on VirusTotal either way and almost the same detection rate -- only 1 fewer with it off). But because it didn't make a difference with file size, I'll just leave it off. Since this did seem to help some with the false positives, I've gone ahead and released a new version. That's about as much as I can do for now without re-writing the executable wrappers in another language (which I might do at some point).
-Keegan On Mon, Feb 3, 2014 at 7:41 PM, Matias N. Goldberg <[email protected] > wrote: > Hi! Thanks for the quick version > The new version is no longer detected by my ClamAV as a virus. > > What's very strange is that I re-run the test in virustotal for meld.exe. > Same hash, same filename, but now with 6/51 detection rate > > https://www.virustotal.com/en/file/eb273111729694a5c98e5b0e133f73ff2405a6004187fba2b6637abf304538e6/analysis/1391472821/ > > meldc.exe<https://www.virustotal.com/en/file/eb273111729694a5c98e5b0e133f73ff2405a6004187fba2b6637abf304538e6/analysis/1391472821/>however, > has much lower detection ratio (3/50) > > It may be worth noticing that none of the antivirus agrees on the type of > virus being detected, meaning it's a high chance of being a false positive > (one of the initial fears is that the uploader/packager's PC is infected). > Compressed files are always hard to detect by antiviruses. Is the > compression ratio really that high to justify UPX/MPRESS? > > Cheers > MatÃas > > IMPORTANT: > The information contained in this email may be commercially sensitive > and/or legally privileged. > It is intended solely for the person(s) to whom it is addressed. If the > reader of this message is not the intended recipient, you are on notice of > its status and hereby notified that your access is unauthorized, and any > review, > dissemination, distribution, disclose or copying of this message including > any attachments is strictly prohibited. > Please notify the sender immediately by reply e-mail and then delete this > message from your system. > > ------------------------------ > *De:* Keegan Witt <[email protected]> > *Para:* Meld List <[email protected]> > *Enviado:* domingo, 2 de febrero de 2014 23:46 > *Asunto:* Re: [Windows] ClamAV detects Meld as a Trojan. > > Thank you for pointing this out. For what it's worth, I assure you it's > clean :) I did some Googling, it seems antivirus programs have been > flagging executables compressed with UPX <http://upx.sourceforge.net/> as > being trojans. I updated my AutoHotkey I've been using to compile meld.exe > and meldc.exe, the new version now uses MPRESS for compression instead of > UPX. When I re-ran the scan with the recompiled versions, it looked > cleaner, but there were engines that kept timing > out<https://www.virustotal.com/en/file/2a5caa98fd1bffdfb7bb19c470e03b4b651139c11b25154dfee0352ef30c8146/analysis/1391393491/>. > But when I ran the scan on just meld.exe, only Rising and VBA32 > complained<https://www.virustotal.com/en/file/c190ff3c13cbde4df3d58f0fa26db97e909e1160ad55dff3cb7ace113500c4d5/analysis/1391394532/> > so > I think I'm on to something here. Could you see if you are able to get a > complete result with the test versions I've uploaded here: > https://sourceforge.net/projects/meld-installer/files/Testing/? If it > looks like this improves the false positives (which given what I saw with > meld.exe results, it should) I'll go ahead and move these out of testing as > an official release. > > -Keegan > > > On Sun, Feb 2, 2014 at 5:19 PM, Michael Mientus > <[email protected]>wrote: > > I have not had a problem with the Windows installer from SourceForge. > > http://sourceforge.net/projects/meld-installer/ > > You might open a ticket with your vendor to have them take a look at it. > And make an exception in your antivirus software as a workaround. > > Mike > > > *From:* meld-list [mailto:[email protected]] *On Behalf Of *Matias > N. Goldberg > *Sent:* Sunday, February 02, 2014 1:45 PM > *To:* [email protected] > *Subject:* [Windows] ClamAV detects Meld as a Trojan. > > Hi everyone! > > I'm new to this newslist. Please, excuse me if I'm in the wrong place. > > I've subscribed just to report that ClamAV detects "meld-1.8.4.0.exe" as > a Trojan: > > D:\Downloads\meld-1.8.4.0.exe: Win.Trojan.Autoit-734 FOUND > > I downloaded the Zip version and the problem persisted: > D:\Downloads\meld-1.8.4.0\meld\meld.exe: Win.Trojan.Autoit-734 FOUND > D:\Downloads\meld-1.8.4.0\meld\meldc.exe: Win.Trojan.Autoit-734 FOUND > ----------- SCAN SUMMARY ----------- > Known viruses: 3099685 > Engine version: 0.98 > Scanned directories: 771 > Scanned files: 12171 > Infected files: 2 > > I uploaded the file meld.exe to virustotal.com 5/49 and out of them > reported as Trojan: > > Antivirus Result > Update > Kingsoft Win32.Troj.IAgent.wt.(kcloud) 20130829 > McAfee-GW-Edition Heuristic.BehavesLike.Win32.ModifiedUPX.C > 20140202 > Rising PE:Spyware.KeyLogger!1.9F7B > 20140202 > TheHacker Trojan/AutoHK.ed > 20140202 > TrendMicro-HouseCall TROJ_GEN.F47V1205 20140202 > > Interestingly their ClamAV didn't detect it (my definitions are up to > date). > > I did not research into whether this is a false positive or actual > infected files. > Looks like I will have to try compiling from source, which doesn't look > straightforward. > > Cheers > Matias > > IMPORTANT: > The information contained in this email may be commercially sensitive > and/or legally privileged. > It is intended solely for the person(s) to whom it is addressed. If the > reader of this message is not the intended recipient, you are on notice of > its status and hereby notified that your access is unauthorized, and any > review, > dissemination, distribution, disclose or copying of this message including > any attachments is strictly prohibited. > Please notify the sender immediately by reply e-mail and then delete this > message from your system. > > > _______________________________________________ > meld-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/meld-list > > > > _______________________________________________ > meld-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/meld-list > > > > _______________________________________________ > meld-list mailing list > [email protected] > https://mail.gnome.org/mailman/listinfo/meld-list >
_______________________________________________ meld-list mailing list [email protected] https://mail.gnome.org/mailman/listinfo/meld-list
