Zeronet: VirusTotal flags the Windows bundle on three different scanners.

Created on 11 Apr 2017  路  17Comments  路  Source: HelloZeroNet/ZeroNet

https://www.virustotal.com/en/file/ecfac31233694555c010145d884101f0c655b4114122e5ce8193c62ae5738f1a/analysis/

picture Forbo

Most helpful comment

I submitted a false positive report to ClamAV.

picture MuxZeroNet on 11 Apr 2017
😄2

All 17 comments

Ran it against another scanner and confirmed flagged:
https://virusscan.jotti.org/en-US/filescanjob/qlyr19lb53

Forbo picture Forbo on 11 Apr 2017

i'm sure it's a false alarm, what can we do against it?

HelloZeroNet picture HelloZeroNet on 11 Apr 2017

I submitted a false positive report to ClamAV.

MuxZeroNet picture MuxZeroNet on 11 Apr 2017
😄2

So ClamAV accept any report without confirming?

jerry-wolf picture jerry-wolf on 12 Apr 2017

They do have an investigation process.

MuxZeroNet picture MuxZeroNet on 12 Apr 2017

But they still think that it's a virus?

jerry-wolf picture jerry-wolf on 12 Apr 2017

I haven't had any reply from ClamAV. Perhaps someone / Tamas should contact ClamAV via their mailing list https://www.clamav.net/contact#ml to get a formal reply.

MuxZeroNet picture MuxZeroNet on 12 Apr 2017

Another reason to convert @HelloZeroNet into an organization. Then register as a developer on Microsoft Store (and Apple Developer and Google Play, etc.). Then work to get ZeroNet entered into the Microsoft Store (will need signing, etc..but Windows/ClamAV will presume its been blessed).

mishfit picture mishfit on 13 Apr 2017

Just to follow up on this, I submitted the Mac version and it is getting flagged heuristically by one scanner:
https://www.virustotal.com/en/file/beac83a1299415a90d58b680c0f466337d527337d9214b96e188fcc8ce733d8f/analysis/1492558599/

Meanwhile the number of scanners flagging on the Windows version only seem to be increasing:
https://www.virustotal.com/en/file/67cae9f608d5e912b9b7e23c457c136f1aeaf989f124241e54b3a5dc2c74f4e0/analysis/1492558790/

This might be a decent resource for attempting to report potential false positives:
https://www.techsupportalert.com/content/how-report-malware-or-false-positives-multiple-antivirus-vendors.htm

Forbo picture Forbo on 19 Apr 2017

These are all very minor/unknown anti-virus engines and they all report something different, so it's definitely a false positive, which can't really be fixed on ZeroNet's side.

Also, note that ClamAV, while a commendable initiative, has one of the worst detection rates out there, so I wouldn't trust it much.

MrTimscampi picture MrTimscampi on 1 May 2017

@HelloZeroNet Can this be closed?

imachug picture imachug on 1 Jul 2019

Just as an update to this, I re-ran the checks with the latest release packages and their corresponding URLs:

Windows -
https://www.virustotal.com/gui/url/56899804fde92c9b15c0d0ad5308f0ad66fe682359d39cfccffda210d73f1d3d/detection
https://www.virustotal.com/gui/file/11aa3d06cf09f57eb1de1b15763d0a10773cdf77fe8e8f21c780053a345146cc/detection (Five detections, one from Microsoft)

macOS -
https://www.virustotal.com/gui/url/fe435d6c691d2a2521894a582e727ae0c3745c8f2da73c9cef23ce1d6b0ec213/detection
https://www.virustotal.com/gui/file/d87ca8ce491aa478885aa95dee683e0def332c1f15cdcab1b2117edae2aec199/detection (One heuristic detection)

Linux 64-bit -
https://www.virustotal.com/gui/url/f89c3cd7526275460f9390cb60eda886a73fc2aeb66a707ce65acc505274d6b4/detection
https://www.virustotal.com/gui/file/cd919fd6372640723ca4a4be5451b40a6a0469fd2a67d955f4c7122ac665d725/detection

Linux 32-bit -
https://www.virustotal.com/gui/url/bd5e9b90bf8fc33a8b8b11365629046343df9c322d3b6c1ea10a2d7040edf946/detection
https://www.virustotal.com/gui/file/482475f4365c4cc76d726220dce2f10500c838e19b346fb6192741be12e79f59/detection

The one from Microsoft seems like a deal breaker for closing this, since that's probably going to be pretty visible for users.

Forbo picture Forbo on 1 Jul 2019

You're right. We should freeze this until the py3 bundle goes live and check whether it's still a problem.

imachug picture imachug on 1 Jul 2019

This is what PUA.DownloadAdmin could mean (source):

PUA.DownloadAdmin is a potentially unwanted application that may download additional software onto the computer.

The program is a software installation manager that must be manually downloaded and installed on the computer.
When the program is executed, it displays an End User License Agreement (EULA). If the user accepts the EULA, the program may then offer to install additional potentially unwanted applications.
The EULA also contains details saying that it displays ads at the discretion of the software.

Maybe they don't like that ZeroNet automatically downloads visited zites (potentially unwanted applications)? If this is true, the only thing to fix this is to submit false positive report to antivirus.

filips123 picture filips123 on 2 Jul 2019

I think that's not the reason. The real reason is that ZeroBundle doesn't include ZeroNet actually, it downloads ZeroNet code on startup.

imachug picture imachug on 2 Jul 2019
👍1

The submitted file was ZeroNet-win-dist.zip that is includes all the necessary files and does not depends on github.
I just submitted the py3 version and it's does not triggers any scanner yet: https://www.virustotal.com/gui/file/3621349b45ad40a020710607c78e03294b783272240af12a084669478c6a16c6/detection

HelloZeroNet picture HelloZeroNet on 2 Jul 2019

@HelloZeroNet Can this be closed? There are only 2 detections from some unknown engines.

imachug picture imachug on 9 Mar 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jeff-hykin picture jeff-hykin  路  40Comments
HelloZeroNet picture HelloZeroNet  路  40Comments
HelloZeroNet picture HelloZeroNet  路  140Comments
HelloZeroNet picture HelloZeroNet  路  58Comments
imachug picture imachug  路  92Comments