- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
Report False Positive
- LIVEcommunity
- Collaboration
- Discussions
- VirusTotal
- Report False Positive
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Report False Positive
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-06-2021 05:32 AM
Hi team,
I am Cristian, the founder of HydraProxy.com and creator of HydraHeaders, a browser profile management app for Windows.
We launched the HydraHeaders app on the 23rd of December 2020 and as of January 5th 2020, a couple of users signaled that your scan shows our app's executable file (the exe used for running the app, not the installer) as malicious.
VirusTotal scan of installer exe: https://www.virustotal.com/gui/file/08ae48bc9de44bb4720f94e007dadf54a5195a77fd9839eb4d808d40513a1862...
(False Positive) VirusTotal scan of exe file: https://www.virustotal.com/gui/file/0fbd26fbb6eff68a08748fdd95473e6e9880ee168f5b326a99bc1ef038a02419...
Here’s the G Drive link of the installer: https://drive.google.com/file/d/1lWoK9JcR5S-jslO0D_kbofn0ABx7iILI/view?usp=sharing
Here are some technical details of our app:
- Development language: Python 3.6
- Exe package builder: pyinstaller
- Code signing certificate from Comodo
- External files used: chromedriver and sqlite
- Administrator install required: optional (users can install it only for their Windows user, there is no need for install for all Windows users)
And here are some useful links:
- Our website and HydraHeaders presentation page: https://hydraproxy.com/hydraheaders/
- Download link for our users (we host it on box.com): https://app.box.com/s/fcpkecprhbm87e6ouib5k2fgvu5huj0f
- Softpedia listing page: https://www.softpedia.com/get/Internet/Other-Internet-Related/HydraHeaders.shtml
- AlternativeTo listing page: https://alternativeto.net/software/hydraheaders/
We would greatly appreciate it if you can consider solving this false positive.
Please let me know if you need further information from our end.
Best regards,
Cristian Timofte
HydraProxy
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-06-2021 05:42 AM
Under review
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-06-2021 07:59 AM
Sample is no longer malicious
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-28-2021 01:06 AM
Hi @tsullivan7
Thank you for your help.
Please note that our update (v 1.1) has been flagged as well.
Here are some useful links:
VirusTotal page:
App landing page:
https://hydraproxy.com/hydraheaders/
Version 1.1 update download link:
https://app.box.com/s/oj2hrtm2fygotzd0ffvpidsz0r7q92od
Could you please consider this for removing the false-positive?
Thank you!
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-28-2021 06:32 AM
If your software continues getting flagged by Wildfire as malicious, it would be advisable to consider what's in the code. Is the code digitally signed? If not you may want to consider this to limit the false positives. One thing Wildfire detected is the sample contacting an IP address info service via HTTP.
This is often used by malware to tailor a message or note to the compromised system in a user's language by geographic IP location. This behavior is also used often used by malware to identify sandboxes to prevent executing in a lab environment.
I've submitted it for a verdict change evaluation.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-28-2021 06:38 AM
Hi,
Thank you for the quick reply.
Regarding the contacting IP, indeed, the app makes a request at every launch to our server to check for updates. The page it contacts is a simple HTML file with the latest version and the app simply reads the last version number posted on the page and if different from the current version of the app, it informs the user and asks him if he wants to update or not.
Regarding the code signing, even from the first version, we sign the code. We never ship it unsigned.
- False Positive (Generic.ml) ? - INOGENI_Control_App_V2_87_setup.exe in VirusTotal
- False Positive: Palo Alto Networks generic.ml in VirusTotal
- ansible module panos_ha support NGFW-VM series on AWS in Automation/API Discussions
- False Positive (Generic.ml) in VirusTotal
- GP connection Error in GlobalProtect Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
