Trojan Virus? [false positive]

[aviator1213 4]

Windows Defender detected "Trojan:Win32/Azden.A!cl" in "rxpGNS-530-XPL.exe" and quarantined it, saying it is dangerous and executes commands from an attacker.  Defender recommends removal.

Is there a problem with it, or is this a false alarm?

[RXP 2,327]

Hi, our files may produce false positives.

Unless our files have got contaminated on your drive by an existing/hidden virus, they are safe otherwise.

[Alvega 1,086]

I also get the same warning with the "rxpGTN-750-XPL.exe.

Sent the file to Virus Total, looks like it's clean.

 

[RXP 2,327]

Hi, 

You can never be sure it wouldn't be contaminated on your drive, neither would we.

However, our development systems are kept separate from our business systems, and only connect to the internet to limited number of websites, and the only software installed and running is development related from known vendors only.

This is a false positive only because our files are protected/encrypted and this gets flag as 'virus'. Please note our files are being internally tagged with a unique id (this is unrelated to code signing, it is designed for anti-virus software to acknowledge the file source), but some antivirus software just don't bother agreeing to the technologies put in place by antivirus vendors to avoid these false positives.

[cstater 2]

On 10/24/2017 at 8:08 PM, RXP said:

Hi, 

You can never be sure it wouldn't be contaminated on your drive, neither would we.

However, our development systems are kept separate from our business systems, and only connect to the internet to limited number of websites, and the only software installed and running is development related from known vendors only.

This is a false positive only because our files are protected/encrypted and this gets flag as 'virus'. Please note our files are being internally tagged with a unique id (this is unrelated to code signing, it is designed for anti-virus software to acknowledge the file source), but some antivirus software just don't bother agreeing to the technologies put in place by antivirus vendors to avoid these false positives.

Sorry to open this back up...

This is a still a real problem.  Windows flags the installation file as dangerous from the start.  After fighting Windows to actually allow me to install the program BitDefender returns:

The file C:\Program Files (x86)\Reality XP\GNS Simulation\X-Plane\bin\rxpGnsSim32.dll is infected with Trojan.GenericKD.44052360 and was moved to quarantine. It is recommended that you run a System Scan to make sure your system is clean.

System scan returns clean....

How can you be so sure that this is a false positive?  You don't code sign your executables which goes along way to proving that your files are from a legitimate source (I don't doubt that you are legitimate, but operating systems and anti-virus don't know you...).  My experience is that if more than one person has a problem with code I have developed (yes, I am a software developer) then I have to put aside my pride and assume it is my problem until I can prove otherwise.  I don't point fingers back to the user and work to prove to myself through evidence it is user error or a third parties issue.  I find that it is usually something I did, though on occasion will find it to be user error or a third parties problem - and then I solve the problem with them and not leave my customers to languish - otherwise, I won't have many customers...

I don't follow your statement that 'some antivirus software just don't bother agreeing to the technologies put in place by antivirus vendors to avoid these false positives' - Is there a standard defined somewhere that Microsoft and BitDefender are ignoring?  Please point this standard out to us as I am curious how this works.

In this day and age where being online is dangerous (why else would you separate your development system from your business system?) it is to your advantage to distribute software that doesn't have installation problems even if false positives.  I cannot continue to use your software (even though it is of great use to me) for fear that my passwords and sensitive personal information are at risk.

If you need more details and specifics, please feel free to ask.

[fppilot 4,077]

16 minutes ago, cstater said:

If you need more details and specifics, please feel free to ask.

As a long time member here and a long time user of RXP products I believe you are quite overreacting here.  False positives are common in today's world as AV screening has justifiably intensified.  You have hundreds, if not thousands who have arrived at this particular false positive before you.  None that this site is aware of have experienced any issue by allowing AV to grant passage.  I might also add that since 2015 I ceased using 3rd party AV other than Malware bytes in tandem with Windows Defender.  Life has been easier and perfectly protected.

Relax.  Install and enjoy the product.  It is well worth it.  Especially if you do not fret.

[RXP 2,327]

You're raising valid points and I thank you for this. 

You can read about some of the technologies I'm referring to, which our products are using, and which are meant to safe-guard users and developers, here for example: https://standards.ieee.org/industry-connections/icsg/index.html

As for code signing, we're not using any yet for mixed reasons I can't detail but part of the reason is also because we are supporting a wide range of operating systems (GNS V2 is compatible with WinXP). Besides, if you try to download and install the FS2020 SDK you'd be surprised about Microsoft choice of code signing and how Win10 anti-virus is treating their own files.

Having said this if you're not confortable with our files I can't say much more than not using our products at this stage and monitor from time to time our forums for news. It is unfortunate but I can't offer much alternative options for now.

[RXP 2,327]

Here is the procedure for Windows Defender

There is no way to get wrong with the Microsoft document, it is really 1,2,3,4,5:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus#exclusions

See the example below with GNS V2 (rxpGnsSim##.dll) and GTN (rxpGtnSim##.dll) excluded files, and RealityXP excluded folder:

[Palo 0]

I am trying to download the ecommerce page and I too am getting the "Trojan 32" virus notification. My computer will not allow me to download/open the exe file.

Its getting a little frustrating. 

Is there a final work through on this one?

[RXP 2,327]

@Palo Hi, the only solution is to tell your anti-virus program to let it pass through. However, are you sure it isn't your web browser which is just warning you, and not the anti-virus?

In which case:
https://www.tenforums.com/browsers-email/180184-cannot-download-files-flagged-insecure-edge-post2233437.html#post2233437

 

Edited May 12, 2022 by RXP