VirusTotal and Windows Defender report Trojan:Win32/CoinMiner.N!cl for Stella-6.7.1-windows.zip and Stella-6.7.1-win32.exe about stella HOT 33 CLOSED

Thanks, I will pull the release immediately and do new builds.

from stella.

Seems to be only present in the Win32 (32-bit) builds, not the x64 (64-bit) ones. Gives me a hint at least where to look next.

from stella.

Wow how did this happen??

from stella.

I may have had a slightly compromised build system. That being said, I think they are all false positives. I will release updated builds tomorrow, which still have 1 or 2 false positives, but pass every virus test I have performed.

from stella.

The 32 bit stella.exe is showing about 18/68 on VirusTotal including both Microsoft and McAfee. That seems pretty high for a false positive. I believe this is substatially higher than when I first submitted, so it could be this is something new and the other engines are still catching up.

https://www.virustotal.com/gui/file/fefa7b69b79394c75de749944b1dd91d23fd4504415a177230479fd2dddf3d20

from stella.

@sa666666 Can we close this one?

from stella.

Has it been confirmed this is a false postive? A check of the binary diff between the 6.7.0 and 6.7.1 32 bit stella.exe files by someone who understands the codebase and can confirm it contains only the expected changes should probably be done?

from stella.

No, it hasn't been confirmed. But the fact that we both are getting the same issue on two completely different systems is suspicious. It probably means that neither of our computers has a virus, but it's something that VS is adding that is being mis-detected. Again, that isn't a proof either way, but it is compelling.

from stella.

I also find it very strange that when I install some of these anti-virus programs locally, they don't detect any issues. Only when they are run on virustotal.com do they complain. Something is going on here, but it's very unclear to me what it is.

from stella.

The Windows 11 Defender detects the 32 bit stella.exe (or rather the downloads containing it). That's how I was first alerted to the issue. Extracting the zip in a linux box and then accessing it is how I determined it was specically stella.exe. VirusTotal was just so that I had a shareable confirmation of the issue.

from stella.

My Windows 11 Defender didn't detect it. I will experiment again to see if I can replicate.

from stella.

Oh, and when I said 'we' above, I meant that myself and another developer of Stella have completely different systems, and I doubt we have exactly the same virus installed on our systems. Yet we both get the same issue. So it seems to be related to how the code is built from Visual Studio. I will try to build in Windows using MinGW, and see if it gives similar results.

from stella.

It's certainly not trending in the right direction. It looks like VirusTotal is up to 23/70 now after a forced refresh just now (was 21 when it was last scanned a couple days ago) https://www.virustotal.com/gui/file/fefa7b69b79394c75de749944b1dd91d23fd4504415a177230479fd2dddf3d20 . It was 18/68 a few days ago: #1008 (comment) . I should have noted the original amount but I want to think it was somewhere around 4-6 originally (but my memory is fuzzy on that and could be totally wrong, also that was for the zip file which not all of the AVs check inside).

If you a checking from an infected machine, it's possible you have something that is being stealthy and hiding from the AV? Maybe spin up a Windows cloud instance and make sure Defender is up to date and then try to install it?

from stella.

I have access to a W11 install that has never had any other software on it. I will try that one when I get a chance. Installing in VirtualBox was going to be my next suggestion, but it's quite a bit more involved.

from stella.

I didn't notice anything too suspicious in the VirusTotal behaviour analysis of stella.exe with a zip bundle I created for just the 32 bit [1], so I think there is a fair chance this is just a false positive and the VirusTotal increase is due to some new trojan that 6.71 has unfortanate similarities to in the places AV looks. That could explain why the numbers are going up. As new venders add detection, it increases.

Also, I'm on Windows 11 release preview 10.0.22631.3007 ni_release. That might explain why you're not seeing it. If it's a false positive but they give different virus definition updates to standard and release preview...?

I would suggest submitting it to Microsoft's malware analysis portal where I believe you can get it resolved (at least for Defender) if it's a false positive. https://www.microsoft.com/en-us/wdsi/filesubmission/

[1] https://www.virustotal.com/gui/file/975649d25325cd33f776737fed4e38920a0415a5db284cbac13bbc97cb02a91d

from stella.

I just hope this doesn't happen again with the next release.

BTW: Is there a possibility that something has crept into our code base?

from stella.

Now that I'm aware of it, I will do checks before releasing. I doubt it's from any code that we've added, but I suppose I can't say for sure.

from stella.

It could be in pulled code or in an updated library.

from stella.

I've now tested on a W11 install that I almost never use, so practically no chance of having a virus. Essentially it's a clean install with just Visual Studio 2022 and all updates installed. Still gives 1 report on x64, and 6 on x32. And they are different again from the ones reported here, and from my main Windows build system. So now I'm really wondering if these are valid at all.

The last thing I will attempt (when I get time) is to install a completely fresh copy of W11 in VirtualBox, install all updates, and then install only Visual Studio. I will then use this image to create all future Stella release builds. But if it reports a virus from that one too, I will be completely lost.

from stella.

You could try to bisect.

from stella.

I'm actually testing against the latest code. So since it's already there in 6.7.1, we would have to go backwards. I guess I should try downloading older releases and testing them at virustotal. Perhaps it will narrow down which release it started at.

from stella.

When I first encountered this, I just backed out to 6.7.0 and it didn't cause any issues, so it appears to be something that changed between 6.7.0 and 6.7.1.

from stella.

The problem is that the 6.7.1 release is over a year after the 6.7.0 one, so anything could have happened. I've upgrade Visual Studio several times since then, installed new software, etc. So it could be anything.

I have access to a MinisForum PC with Windows 11 Pro. I am wiping it and installing a fresh copy of Windows, all updates and then the latest Visual Studio. All of this has been done separately from my main Windows system, to eliminate any chance of a virus jumping from one system to another. This will be my last step. If it still doesn't fix it, then I pretty much know for sure it's a false positive.

from stella.

I meant, IF it is in our codebase, bisecting would show the responsible commit.

from stella.

First I want to confirm that it's a completely clean OS install. Then I will move on to the codebase itself. Besides, I may turn this new MiniPC into the build machine for Windows releases, and never install anything else on it. So we can hopefully solve this problem and not have it happen again.

from stella.

Since I got the same results at virustotal.com, I strongly doubt that it is in your system.

from stella.

Honestly, I think this is a fluke.

from stella.

Same here. But I think @sa666666 wants to be 100% sure.

from stella.

@sa666666 Can we close this one?

Maybe we should provide help per OS how to circumvent these false alerts. I suppose we will see more and more of these in the future.

from stella.

I have done everything I can, including using a completely new install of Windows 11 on a new system. So this indeed looks to be a false positive. And it only happens in the 32-bit version, which is one of the reasons why I'm strongly leaning to removing 32-bit Windows builds for a future release.

from stella.

I have done everything I can, including using a completely new install of Windows 11 on a new system. So this indeed looks to be a false positive. And it only happens in the 32-bit version, which is one of the reasons why I'm strongly leaning to removing 32-bit Windows builds for a future release.

32-bit Windows is pretty much dead. ARM is the secondary target these days.

You might consider just having separate distributions for each arch, so the 64-bit version doesn't get flagged if the 32-bit does

from stella.

32-bit will only be supported as long as Win 10 is supported by M$. So the end is coming. 😄

I am not sure if splitting the distributions will help that much. Next time 64-bit might be false flagged.

from stella.

It's not just this issue. I want to discontinue 32-bit anyway. I've already done it for Linux, and Apple has done it for Mac.

from stella.