VirusTotal agrees!

[Steve]

Gang...

Release #64:

VirusTotal

VirusTotal

www.virustotal.com

Release #60:

VirusTotal

VirusTotal

www.virustotal.com

Something I've recently changed has really set off the major A/V scanners. I don't have the interim releases (61 62 63). But if anyone has been retaining others, I'd love to know that the A/V scanners at VirusTotal think about those.

 

[PHolder]

I would say your energies are better spent on making quality software. You know you're not making malware... let the crappy malware detectors waste their time and money figuring it out... you're never going to be able to build useful software that they won't initially complain about.

The only suggestion I would have would be to submit your next release to VirusTotal first before releasing it publicly... so you can at the same time post those results and give the detectors the best chance to get a clue as early as possible.

 

[Steve]

The only suggestion I would have would be to submit your next release to VirusTotal first before releasing it publicly... so you can at the same time post those results and give the detectors the best chance to get a clue as early as possible.

Yes! I had once told myself to always do that... but I had forgotten that.

 

[Paul F]

Something I've recently changed has really set off the major A/V scanners. I don't have the interim releases (61 62 63). But if anyone has been retaining others, I'd love to know that the A/V scanners at VirusTotal think about those.

Rel 62: 0/63
Rel 63: 0/70

 

[Steve]

Ah... Paul... thanks! It occurs to me that I DID just get a reissued Authenticode Signing Cert from DigiCert! I'll bet that these A/V's are upset because this is the FIRST TIME that new certificate is being used!

I also just purchased and received a HARDWARE signing encryption dongle from DigiCert which will allow me to obtain EV signing of this code. I'm excited to see whether that makes Windows Defender and others happier.

Thanks!

 

[Steve]

Now Virus Total detects the SAME Release #64 file as only 4/73, down from 6/73. Interesting.

I will be bringing the DigiCert hardware online and we'll see how it fares...

​

 

[Steve]

I have just re-signed Release 64 using the hardware token.
Now ONLY 1/69... "Cylance" has it marked "Unsafe" but without any followup rationale.

 

[PHolder]

I have just re-signed Release 64 using the hardware token.
Now ONLY 1/69... "Cylance" has it marked "Unsafe" but without any followup rationale.

This may just be a consequence of the passage of time... the numbers were already declining anyway. It will be interesting to see what happens with the next build/release (if/where the code itself changes again.)

 

[Steve]

Yes.

And something else, Paul...

Virus Total "knew" that SQRL was issuing a DNS query to a bizarre looking domain "sqrl.{nonce}.ver.grc" and that it was resolving to 239.0.0.64. This means that it or something it actually RUNNING the executable in some sort of sandbox to see what it will do.

At the moment I'm preforming a PRE installation version check to detect that the user has an older release than what COULD be freshly downloaded. THAT behavior appears to be factoring into the decision to be skeptical about an unknown program with zero reputation.

Since that preemptive check wasn't ever really necessary, I'm considering NOT checking in with GRC until after the app is initially installed. That ought to shut it up and not cause the A/V checkers to worry as much.

 

[Steve]

Also... VT is still showing the older non-EV-signed executable as detected by four A/V's...

https://www.virustotal.com/#/file/b...3931727508416c4f3fdb0527699f7a60f65/detection

 

[Hooblagoobla]

For SQRL v0.0.7063.69, VT is showing 1/73
VBA32 SScope.Trojan.Zbot.gen

VirusTotal

VirusTotal

www.virustotal.com

I presume this fits with the trend above.