AV False Positives (Malware, Riskware, Adware, Virus, Trojan and other BS) about bt HOT 42 OPEN

Windows Defender (Win 11) just flagged bt-3.5.2 as "threats found" for me.

Detected: Program:Win32/Wacapew.C!ml

from bt.

10 today.

from bt.

Analysis on above is still pending but some detections have already cleared out.

from bt.

It seems Microsoft doesn't like the latest version as it has been automatically removed from my PC by Windows Defender.

from bt.

Yeah, but it would be also super slow and at least x100 bigger in size of downloads and ram.

from bt.

It's about $1.5k for 3 years. Could be less if you shop around. But that won't solve false AV issues, you can still be banned and certificate revoked for no reason. I think realistically one needs a legal team to deal with AV false claims which I apparently don't have. I'd recommend having a read:

• https://weblog.west-wind.com/posts/2016/Oct/05/Dealing-with-AntiVirus-False-Positives
• https://www.autohotkey.com/boards/viewtopic.php?t=87322
• https://steamcommunity.com/app/779590/discussions/0/2572002906839928114/
• https://help.steampowered.com/en/faqs/view/5F3D-1477-AFF9-C4F3
• https://www.linkedin.com/pulse/kaspersky-reasons-false-positives-amirabbas-mahdavi
• https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard
• https://medium.com/@airflow.matt/globalsign-will-revoke-your-codesign-certificate-no-questions-asked-f6ac2bca02c5

And by the way, the last BT version (3.5.0) has only a single AV's claim out of 90, unlike 29 out of 90 for version 3.4.0, so it's totally random trash. I've myself became very pessimistic about usefulness of AV software in general after dealing with this.

from bt.

Same thing here, BT 3.5.2 was flagged by Microsoft Defender as PUA. It's possible to send files to Microsoft for further analysis: https://www.microsoft.com/en-us/wdsi/filesubmission/ – I urge you to do it if you are affected.

from bt.

Same thing here, BT 3.5.2 was flagged by Microsoft Defender as PUA. It's possible to send files to Microsoft for further analysis: https://www.microsoft.com/en-us/wdsi/filesubmission/ – I urge you to do it if you are affected.

I have used this before, and just submitting for latest version as "incorrectly identified as malware". Will let you know on progress:

from bt.

@neoOpus thanks. Update checks are already fixed and will be out in v3.6. Defender does not block it anymore.

from bt.

By the way, I reported the false positive to Avast (which also includes AVG), so VT now reports only 11 false positives.

According to their reply, they reclassified BT from malware to PUA, since apparently it doesn't match their "clean software policy" (which, surprisingly, claims signing is preferred but not required):

Thank you for contacting Avast and reporting a false positive detection. We're happy to help.

Along with the Avast virus specialist, we’ve checked the reported file and changed the threat detection to PUP (potentially unwanted program). The PUP detection is due to lack of compliance with Avast’s clean software policy.

For more information, refer to this article: Avast Threat Labs - Clean guidelines

If you are the owner of the reported file and want to change the detection to clean, feel free to contact us again for a new analysis as soon as the file matches the Avast guidelines.

from bt.

@jnv I have raised Avast issue separately yesterday, and classification is cleared completely.

from bt.

Also submitted a dispute to McAfee now.

from bt.

And just for fun to Malwarebytes.

from bt.

from bt.

AVG and Avast were great help in whitelistimg 3.6.2, we are -2 now.

from bt.

14/61 today!

from bt.

I am unable to download it unless, of course, if I disable MS Defender

from bt.

I can't afford a signing certificate so it's not going to happen. You are free to validate it's not dangerous as source code and build pipelines are completely open and transparent.

from bt.

I can't afford a signing certificate so it's not going to happen. You are free to validate it's not dangerous as source code and build pipelines are completely open and transparent.

What is the cost of a signing certificate?

from bt.

Kaspersky and Sophos both left BT undetected for me, seems it might be a Microsoft specific issue.

from bt.

it's totally random and changes daily ;)

from bt.

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

from bt.

There are 2 different .zip files. A pdb version which downloads fine and non-pdb version that doesn't. What's the difference between the 2?

from bt.

There are 2 different .zip files. A pdb version which downloads fine and non-pdb version that doesn't. What's the difference between the 2?

.pdb version is debug symbols to investigate crashes, you don't need that.

from bt.

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

You can permanently allow the "threat" until MS investigates. There are instructions available here.

from bt.

Windows Defender should now be fine, just got analysis results from Microsoft:

from bt.

Also VirusTotal before and after (Microsoft AV is OK now). Hopefully others will follow the suit.

from bt.

It keeps getting deleted even when excluded from scans... I have to reinstall it every few days.

You can permanently allow the "threat" until MS investigates. There are instructions available here.

I have been doing that since the start, but it doesn't stick. That's why I notified you that currently it is allowed and working properly, but it crashes when trying to find updates... I am simply informing you of this, but it is alright if you are unable to resolve these.

from bt.

@jnv thanks for that, I also raised request with ESET which has reclassified as clean.

from bt.

So far, it worked and I didn't have any issue :)

from bt.

Unfortunately we're back to 24 false positives for the v3.6.2 installer. Today even Microsoft Defender took down my locally compiled version.

from bt.

Unfortunately we're back to 18/64

from bt.

18 on the .zip version

from bt.

Down to 11 today:

from bt.

18 on the .zip version

Down to 15 today. ZIP is catching up, as I'm submitting false positives for MSI only, which contains the same binary as zip.

from bt.

https://www.virustotal.com/gui/file/9a6a86a90c1c68423465a4b800f4f2941a92e1f82ed9ea0f4dfb58a641932cef/details

from bt.

Same here, looks like Microsoft needs a ticket for every new version to allowlist it again.

from bt.

Also this is odd, because VirusTotal only reports 4 hits from "bad" AVs

from bt.

I think if it was in Dotnet or other IL language it wouldn't have so many troubles. Because it is much easier to analyze than pure x86 instruction set.

from bt.

It seems Microsoft doesn't like the latest version as it has been automatically removed from my PC by Windows Defender.

Not only the latest, also 1 or 2 previous - it broke, I installed newer one (deactivated the antivir) but at some point it reactivated... It actually breaks opening links if BT is set as default handle for hyperlinks. Typical Microsoft -.-

Can we whitelist it manually? Or do we need to do that for every version as well?

Edit: Going into the defender history and reverting + adding a manual entry for C:\Program Files\Browser Tamer\bt.exe seems to work - for now. No resetting of default browser or anything needed.

from bt.

Yeah, but it would be also super slow and at least x100 bigger in size of downloads and ram.

Is https://github.com/mortenn/BrowserPicker , for example, slow and bloated for you?

from bt.

From what I understand from this talk about Windows - BlueHat IL 2023 - David Weston - Default Security
https://www.youtube.com/watch?v=8T6ClX-y2AE : maybe turning in UWP and converting msi to MSIX can make help against AV 🤓. One of the issues was mentioned is "over privileged apps".

from bt.