09-29-2018 01:09 AM
Detection result on virustotal.com below:
Puppet3G.exe
Palo Alto Networks (Known Signatures) generic.ml 20180929
https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip
Puppet3G.exe is detected, but Puppet3R.exe is not detected.
source
https://github.com/leo-typeb/Puppet3
distributed installer
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3G.zip
https://github.com/leo-typeb/Puppet3/releases/download/v3.1.3/Puppet3.1.3R.zip
I developed it.
Puppet3 is distributed 2 versions Puppet3G and Puppet3R.
The difference between the 2 versions:
- GUID of .exe
- Picture in the Resource
- Name: Puppet3G.exe Puppet3R.exe
Puppet3 is hobby software. It moves eyes and mouth with Microphone sound or Application sound.
The reason why 2 versions are distributed is that there are users on YouTube wish to display their two puppets on the live streaming or movies.
10-03-2018 06:03 AM
We do not rely on other vendors for our verdicts. Our own internal engineers and tools have deemed this file to perform possibly malicious activities erning it a malicious verdict. If the file is changed at a later date and no longer performes these possably malicious actions, we can take a look then, but at that point it will have a different hash.
10-01-2018 03:54 PM
Hello Leo-typeb,
In your bundle https://s3-ap-northeast-1.amazonaws.com/puppet.dev/falsepositive/Puppet3G_Puppet3R.zip, you have two files -
1. Puppet3G.exe sha256: fd65e473242b97f5ea01393158550d30f5779c3706e29e3367e0c440260d520e
VT Detection Ratio: 10 / 68
Since 10 other vendors think that it could be malicious, we need to check and will update soon.
2. Puppet3R.exea . 9a82cb19692af4c3178e5354bcb71d4950a0d9068890a6b8a02df7dbccbc62e
VT Detection Ratio: 7 / 68
Paloalto networks verdict is already benign.
Thanks
Himani
10-02-2018 11:29 AM
Hi
Our malware team took another look at the sample, file and Sha256 hash. our team is keeping the verdict as malware for generic hits for malware.
Thanks
Himani
10-03-2018 05:07 AM
Hi Himani,
Thank you for your reply.
About 20 of vendors detected on virustotal.com. So I am sending reports to them.
Some vendors (Microsoft, Symantec, F-Secure, etc.) have update their product already, but some other vendors have not reply yet.
Can I re-report to you after I get these vendors reply?
Best Regards,
Leo-typeb
10-03-2018 06:03 AM
We do not rely on other vendors for our verdicts. Our own internal engineers and tools have deemed this file to perform possibly malicious activities erning it a malicious verdict. If the file is changed at a later date and no longer performes these possably malicious actions, we can take a look then, but at that point it will have a different hash.
10-03-2018 08:52 AM
Hi dparris,
Thank you for your support.
I understand.
I am publishing the source code and only one of the two executable files built from the same code is marked as malware.
I will notify users of this version that I can not support false positives from your products.
Best Regards,
Leo-typeb
10-03-2018 09:35 AM
Hi Leo-typeb,
No problem, like I said as far as our engineers and tools show us, and it seems many other of the top AV and Malware protection providers this is a true positive. We can not change that.
Have a wonderful day, I hope you get this strieghtened out.
Don
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
