False Positive on VirusTotal

Reply
Highlighted
L1 Bithead

False Positive on VirusTotal

Detection result on virustotal.com below:

 

Puppet3G.exe

    Palo Alto Networks (Known Signatures) generic.ml 20180929

 

https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip

Puppet3G.exe is detected, but Puppet3R.exe is not detected.

 

source
https://github.com/leo-typeb/Puppet3
distributed installer
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3G.zip
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3R.zip
I developed it.
Puppet3 is distributed 2 versions Puppet3G and Puppet3R.
The difference between the 2 versions:
- GUID of .exe
- Picture in the Resource
- Name: Puppet3G.exe Puppet3R.exe
Puppet3 is hobby software. It moves eyes and mouth with Microphone sound or Application sound.
The reason why 2 versions are distributed is that there are users on YouTube wish to display their two puppets on the live streaming or movies.


Accepted Solutions
Highlighted
L5 Sessionator

We do not rely on other vendors for our verdicts. Our own internal engineers and tools have deemed this file to perform possibly malicious activities erning it a malicious verdict. If the file is changed at a later date and no longer performes these possably malicious actions, we can take a look then, but at that point it will have a different hash. 

View solution in original post


All Replies
Highlighted
L4 Transporter

Hello Leo-typeb,

 

In your bundle https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip, you have two files -

1. Puppet3G.exe  sha256: fd65e473242b97f5ea01393158550d30f5779c3706e29e3367e0c440260d520e

VT Detection Ratio: 10 / 68

https://www.virustotal.com/file/fd65e473242b97f5ea01393158550d30f5779c3706e29e3367e0c440260d520e/ana...

 

Since 10 other vendors think that it could be malicious, we need to check and will update soon.

 

2. Puppet3R.exea . 9a82cb19692af4c3178e5354bcb71d4950a0d9068890a6b8a02df7dbccbc62e

VT Detection Ratio: 7 / 68

https://www.virustotal.com/file/a9a82cb19692af4c3178e5354bcb71d4950a0d9068890a6b8a02df7dbccbc62e/ana...

 

Paloalto networks verdict is already benign. 

 

Thanks

Himani

Himani Singh
Highlighted
L4 Transporter

Hi

 

Our malware team took another look at the sample, file and Sha256 hash. our team is keeping the verdict as malware for generic hits for malware.

 

Thanks

Himani

Himani Singh
Highlighted
L1 Bithead

Hi Himani,

 

Thank you for your reply.

 

About 20 of vendors detected on virustotal.com. So I am sending reports to them.

Some vendors (Microsoft, Symantec, F-Secure, etc.) have update their product already, but some other vendors have not reply yet.

 

Can I re-report to you after I get these vendors reply?

 

Best Regards,

Leo-typeb

 

Highlighted
L5 Sessionator

We do not rely on other vendors for our verdicts. Our own internal engineers and tools have deemed this file to perform possibly malicious activities erning it a malicious verdict. If the file is changed at a later date and no longer performes these possably malicious actions, we can take a look then, but at that point it will have a different hash. 

View solution in original post

Highlighted
L1 Bithead

Hi dparris,

 

Thank you for your support.

 

I understand.

I am publishing the source code and only one of the two executable files built from the same code is marked as malware.

I will notify users of this version that I can not support false positives from your products.

 

Best Regards,

Leo-typeb

Highlighted
L5 Sessionator

Hi Leo-typeb,

 

No problem, like I said as far as our engineers and tools show us, and it seems many other of the top AV and Malware protection providers this is a true positive. We can not change that. 

 

Have a wonderful day, I hope you get this strieghtened out.

Don

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!