Activitywatch: Submit false positives to antivirus vendors

Created on 21 Mar 2018  路  11Comments  路  Source: ActivityWatch/activitywatch

I saw in past issues (e.g., #140 ) that people reported that the software is flagged by antivirus software, and that this is reasonable estimate based on the heuristic of a keylogger.

The latest Windows zip is flagged by 9 scanners.

Would you please consider contacting the vendors to whitelist it? There is a contact list on techsupportalert and another list is available if you email VirusTotal.

help wanted security

Most helpful comment

Suspicious indeed.

All 11 comments

I don't think this needs to be done by the maintainers ourselves, so please feel free to do so on your own! :slightly_smiling_face:

Well this is annoying :-) - it's happening on the 0.8.3 version, and so can't install the latest version of AW at work...

image

image

@pcuci Please submit a false positive to Microsoft about that, we can't do anything else about it than that as Windows doesn't provide any safe APIs for us to use.

For what it's worth, the admin team at work managed to add an exception, then asked me to execute the following steps to clear the antivirus cache and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to
    C:\Program Files\Windows Defender
  2. Run MpCmdRun.exe -removedefinitions -dynamicsignatures
  3. Run MpCmdRun.exe -SignatureUpdate

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions. I don't know if these new malware definitions later go upstream to Microsoft, it may very well be the case, or not.

Hope this encourages others to negotiate with their IT/network/security teams :-)

It appears that IT help-desks inside organizations have the ability to include antivirus exceptions.

The only annoying thing is that if you ever update ActivityWatch you will likely have to go through the same procedure again.

A more long-term solution might be to code-sign the releases, or simply put it up on the Windows store.

I am not able to run release 0.8.4 on my office pc
McAffee Endpoint Security is declaring ActivityWatch as Ransomware and blocking processes and partially deleting files (aw-watcher-afk.exe)

Found several entries in eventlog from McAffee, including details, what he thinks is evil, but as the log are in german, I dont know if posting them here makes sense.

Apparently AlternativeTo now shows a malware warning for ActivityWatch (reported in #493). Not sure what we can do about that.

However, someone dropped this link on the AlternativeTo page which gives a lot of nice details about why it's considered suspicious: https://www.hybrid-analysis.com/sample/beb047cb7583df66301493c613afe0d7bf6c62b5445eb38797b6fcf38d239afe/5e7cd780c49eaf4be46cde62

But alas, it only confirms what we already knew: it's all guesswork.

Edit: I've submitted the false positives to AVG and AegisLab (as per this VirusTotal report). We'll see if that does anything.

Edit 2: According to that hybrid-analysis report, apparently the presence of @julian's email is considered suspicious, lol.

Edit 3: I emailed AlternativeTo, we'll see what they reply.

Suspicious indeed.

AlternativeTo replied to my email and have removed the warning. Thanks @timharek for reporting!

Was this page helpful?
0 / 5 - 0 ratings