topic Re: False Positive on VirusTotal in VirusTotal

False Positive on VirusTotal

leo-typeb — Sat, 29 Sep 2018 08:09:37 GMT

Detection result on virustotal.com below:

Puppet3G.exe

Palo Alto Networks (Known Signatures) generic.ml 20180929

https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip

Puppet3G.exe is detected, but Puppet3R.exe is not detected.

source
https://github.com/leo-typeb/Puppet3
distributed installer
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3G.zip
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3R.zip
I developed it.
Puppet3 is distributed 2 versions Puppet3G and Puppet3R.
The difference between the 2 versions:
- GUID of .exe
- Picture in the Resource
- Name: Puppet3G.exe Puppet3R.exe
Puppet3 is hobby software. It moves eyes and mouth with Microphone sound or Application sound.
The reason why 2 versions are distributed is that there are users on YouTube wish to display their two puppets on the live streaming or movies.

Re: False Positive on VirusTotal

hisingh — Mon, 01 Oct 2018 22:54:57 GMT

Hello Leo-typeb,

In your bundle https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip, you have two files -

1. Puppet3G.exe sha256: fd65e473242b97f5ea01393158550d30f5779c3706e29e3367e0c440260d520e

VT Detection Ratio: 10 / 68

https://www.virustotal.com/file/fd65e473242b97f5ea01393158550d30f5779c3706e29e3367e0c440260d520e/analysis/1538401934/

Since 10 other vendors think that it could be malicious, we need to check and will update soon.

2. Puppet3R.exea . 9a82cb19692af4c3178e5354bcb71d4950a0d9068890a6b8a02df7dbccbc62e

VT Detection Ratio: 7 / 68

https://www.virustotal.com/file/a9a82cb19692af4c3178e5354bcb71d4950a0d9068890a6b8a02df7dbccbc62e/analysis/1538402069/

Paloalto networks verdict is already benign.

Thanks

Himani

Re: False Positive on VirusTotal

hisingh — Tue, 02 Oct 2018 18:29:54 GMT

Our malware team took another look at the sample, file and Sha256 hash. our team is keeping the verdict as malware for generic hits for malware.

Thanks

Himani

Re: False Positive on VirusTotal

leo-typeb — Wed, 03 Oct 2018 12:07:48 GMT

Hi Himani,

Thank you for your reply.

About 20 of vendors detected on virustotal.com. So I am sending reports to them.

Some vendors (Microsoft, Symantec, F-Secure, etc.) have update their product already, but some other vendors have not reply yet.

Can I re-report to you after I get these vendors reply?

Best Regards,

Leo-typeb

Re: False Positive on VirusTotal

dparris — Wed, 03 Oct 2018 13:03:47 GMT

We do not rely on other vendors for our verdicts. Our own internal engineers and tools have deemed this file to perform possibly malicious activities erning it a malicious verdict. If the file is changed at a later date and no longer performes these possably malicious actions, we can take a look then, but at that point it will have a different hash.

Re: False Positive on VirusTotal

leo-typeb — Wed, 03 Oct 2018 15:52:45 GMT

Hi dparris,

Thank you for your support.

I understand.

I am publishing the source code and only one of the two executable files built from the same code is marked as malware.

I will notify users of this version that I can not support false positives from your products.

Best Regards,

Leo-typeb

Re: False Positive on VirusTotal

dparris — Wed, 03 Oct 2018 16:35:34 GMT

Hi Leo-typeb,

No problem, like I said as far as our engineers and tools show us, and it seems many other of the top AV and Malware protection providers this is a true positive. We can not change that.

Have a wonderful day, I hope you get this strieghtened out.

Don