"Google" scanner ?

Question

"Google" scanner ?

chrfranke opened this issue a year ago · comments

First of all: Thanks for maintaining this list!

In the smartmontools.org project, we have long term trouble with occasional false positive reports for our CI and release builds for Windows. All are done reproducible under Linux with MinGW-w64 + NSIS cross-toolchains in a docker container (see https://builds.smartmontools.org/).

Recently some "Google" scanner appeared in the list of FPs at VirusTotal. Does anybody know where FPs could be reported for this scanner?

Yaron Elharar · Answer 1 · Mon Jul 31 2023 18:05:54 GMT+0800 (China Standard Time)

what exactly is the name of the security application in Virus Total?

Christian Franke · Answer 2 · Mon Jul 31 2023 18:28:57 GMT+0800 (China Standard Time)

It is actually named "Google" and the reported malware is named "Detected".

See the results of our most recent CI builds:
https://www.virustotal.com/gui/file/ffd07532d1c7af7da0cf7633856a3ff60f54a6ebc995dbfc079d55e3e3b81e77
https://www.virustotal.com/gui/file/1a1b6894442930d68b1e489c0392c9a1d9b2398b93f9b7dc8061900a40cf5385
(BTW: The difference of 11 vs 6 detections does not make any sense as only static string data in the drivedb.h file have been changed).

Yaron Elharar · Answer 3 · Mon Jul 31 2023 18:55:39 GMT+0800 (China Standard Time)

Even if you have nothing wrong with the package, the mere fact that it's unsigned will generate false positives each time you submit the file to be analyzed. and that will happen in each change (even minor) you make

So take into consideration that it will take you weeks, even months removing all of these, And in the next release you'll need to do that all over again.

regarding Google you can ask the virus total team, I don't know exactly what they mean there

Christian Franke · Answer 4 · Mon Jul 31 2023 19:29:21 GMT+0800 (China Standard Time)

Yes, I know. Even changing EXE-header timestamps by re-running strip may change the result in both directions. Another experience is that FPs spread faster to other scanner than FPs removed after complaints.

OK, I will ask VT and report any results here.

I would suggest to keep this issue open until then. Perhaps someone else could provide useful info.

Yaron Elharar · Answer 5 · Mon Jul 31 2023 19:48:58 GMT+0800 (China Standard Time)

Another thing that may reduce the amount of false positives you encounter is packaging in 64 bit instead of 32 bit
As for somebody else coming along I wouldn't wait for it, but if you do find what Google is in Virus Total do let me know so I can add it to the list

Christian Franke · Answer 6 · Thu Aug 03 2023 01:54:23 GMT+0800 (China Standard Time)

Makes sense. FPs seem to be more likely from 32-bit programs in general. The current installer is itself 32-bit but contains executables for both. Unfortunately 64-bit support for the NSIS installer is still not part of the official downloads, but interestingly available in the Debian package.

I sent a request about "Google" scanner via https://www.virustotal.com/gui/contact-us two days ago. No reply so far.

Yaron Elharar · Answer 7 · Thu Aug 03 2023 02:54:01 GMT+0800 (China Standard Time)

That's what I'm saying, It could literally take months

Yaron Elharar · Answer 8 · Mon Sep 11 2023 00:27:02 GMT+0800 (China Standard Time)

Closing due to inactivity

Christian Franke · Answer 9 · Mon Sep 11 2023 01:13:20 GMT+0800 (China Standard Time)

Correct - no reply from VirusTotal since August 2.