Meshcentral: Windows agent (background only) detected as Trojan

Created on 7 Jun 2019  路  9Comments  路  Source: Ylianst/MeshCentral

Pasted Graphic
With F-Secure scanner it will detect the Windows background only agent as a Trojan. With the interactive or backupground/interactive agent version then it is just fine.

help wanted
Source
picture hunter-nl

Most helpful comment

Mesh agent isn't a trojan. Anyone experiencing this should report this false positive at https://www.f-secure.com/v-descs/false_positive.shtml

picture MailYouLater on 8 Jun 2019
👍3

All 9 comments

Yes, if you upload the agent executable to VirusTotal, you will see the exact state. The 64bit version of the agent seems to do a lot better than the 32bit version. Bryan could look into this, but not before we release our new agent with lots of fixes. I recently got my certificate revoked because of this, not sure there is much we can do about it.

Ylianst picture Ylianst on 7 Jun 2019

Mesh agent isn't a trojan. Anyone experiencing this should report this false positive at https://www.f-secure.com/v-descs/false_positive.shtml

MailYouLater picture MailYouLater on 8 Jun 2019
👍3

Mesh agent isn't a trojan. Anyone experiencing this should report this false positive at https://www.f-secure.com/v-descs/false_positive.shtml

I think it is better to wait for the new agent release. And then check again. If still a false positive detection occurs, then we can report this to f-secure. But we need to test with all major scanners and report them. The problem is, I do not always know which scanner the remote system is using. For the users it must be as simpel as possible and not alarm about any potential trojans.

hunter-nl picture hunter-nl on 8 Jun 2019

Thanks for the link. I will certainly be doing this and reporting false positives, if other such links exists, I invite anyone to please post them. I do want to note that the full agent source code is present here: https://github.com/Ylianst/MeshAgent and so, can independently be audited and compiled.

Ylianst picture Ylianst on 9 Jun 2019

And https://www.microsoft.com/en-us/wdsi/filesubmission?persona=SoftwareDeveloper

theevilshiftkey picture theevilshiftkey on 10 Jun 2019

By the way, if there is any suggestion on whether I should self-sign the MeshAgent vs not signing it at all. Commentary on this would be appreciated.

Ylianst picture Ylianst on 11 Jun 2019

For OSX 10.15 (released in september) a signing (notarizing) process must be followed. This requirement will be forced for the new version 10.15.
It can be done already for current OSX version.
See details: https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution

hunter-nl picture hunter-nl on 12 Jun 2019

FYI. Just published MeshCentral v0.3.6-m with a new 32bit MeshAgent that passes all virustotal.com tests. So now, both 32bit and 64bit MeshCentral agents should not have a problem anymore.

Ylianst picture Ylianst on 13 Jun 2019
👍1

I am going to close this issue since the latest Windows MeshAgent for 32bit and 64bit both pass the anti-malware test. The MacOS notarizing is a different issue, trying to figure out how it's going to apply to open source software.

Ylianst picture Ylianst on 18 Jun 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

nroach44 picture nroach44  路  3Comments
petervanv picture petervanv  路  3Comments
guerby picture guerby  路  3Comments
unguzov picture unguzov  路  3Comments
Julien-asv picture Julien-asv  路  3Comments