Cool VL Viewer forum

View unanswered posts | View active topics It is currently 2024-03-28 13:54:10



Reply to topic  [ 3 posts ] 
Microsoft Security Essentials deleting CoolVlViewer 
Author Message

Joined: 2021-10-06 18:03:51
Posts: 17
Reply with quote
The latest Windows installer (1-30.2.15) is being deleted by Windows MSE as soon as it is downloaded , or copied across from a linux pc. The flagged item is "Trojan:Script/Watac/B!ml".

Before I unlock it from Quarantine, have you any thoughts? This is the first time I've ever had this occur.

ETA I'm not using Chrome, by the way, this action is occurring in Firefox as soon as the download completes and an attempt is made to access the file.


2023-06-04 20:27:03
Profile

Joined: 2009-03-17 18:42:51
Posts: 5523
Reply with quote
Well, first check that the installer you downloaded did not get infected by a virus on your own machine: verify the sha1sum for CoolVLViewer-1.30.2.15-Windows-x86_64-Setup.zip with the one I give on the download page, then check the sha1sum for the unzipped installer, CoolVLViewer-1.30.2.15-Windows-x86_64-Setup.exe, which is 3ee4aa8375db696d75fb4fc4d2e3b4e1dd7c3ff5.

Then, to reassure yourself, upload the latter installer to VirusTotal, and you will see the resulting analysis by 68 antivirus suites and 3 different sandboxes (including MSE). As you can see, the Cool VL Viewer is totally void of any menace (amusingly, MSE reports network communications by the installer, while it never accesses any network resources, but if you look at the reported IPs, they are those of Windoze and Micro$oft, that is, the IPs used by MSE itself :roll: ) .

Antiviruses sometimes spew false positives, however it is pretty much impossible that the published viewer binaries get infected at my level: I am using a dedicated VirtualBox VM (with most Windoze services shut down to minimize the attack surface) to compile them, and that VM runs under Linux, on a machine connected via Ethernet wires (no WiFi in my home !) to my local network, itself protected by a Linux firewall (*) between my ISP's Internet box (which I don't trust the least) and my network... I also always check my compiled binaries with ClamAV before packaging them, and I also often check the installer on VirusTotal as well... Of course, an infection on the host provider, while unlikely, is still possible, and should you have a virus on your own PC, it might infect the downloaded installer; this is why I provide the sha1sums...

It has been over 15 years I have been publishing hundreds (yep !) of viewer releases, and never a single one conveyed a virus/trojan/malware/whatever...


(*) And I have been a UNIX/Linux admin for the past 34 years, so I do know how to protect a Linux computer from any threat.


2023-06-04 22:25:31
Profile WWW

Joined: 2021-10-06 18:03:51
Posts: 17
Reply with quote
Henri, thanks for the advice. I had already downloaded the Linux and Windows versions to my Linux box as well. I ran the sha1sum commands against them and got the results you posted on the download page so there is no infection on either my Windows 7 or Linux machine.

I unzipped the windows exe on the linux machine and checked the sha against what you posted above, and it is correct, thanks for posting that additional shasum.

Since I have never seen this on any previous releases I can only assume that a recent signatures update to Microsoft Security Essentials has added a signature, or something in the current release is giving a false positive.


2023-06-05 14:08:40
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 3 posts ] 

Who is online

Users browsing this forum: No registered users and 21 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.