Geminaut, anyone else have Antivirus rejecting the executable?

Pete D. <peteyboy (a) sdf.org>

I've tried to download and expand the exe for GemiNaut a couple times, 
and my antivirus (Vipre) pulls out the executable every time saying it's 
"Virus.Generic" or something. Anyone else seeing this?

This is Geminaut 0.8.7 package from: 
https://www.marmaladefoo.com/pages/geminaut

Link to individual message.

Jake <jake (a) rmgr.dev>

This reminds me, I did have Malwarebytes freak out over the marmaladefoo 
domain but didn't care about Geminaut itself

-------- Original Message --------
On 30 Aug. 2020, 4:51 pm, Pete D. wrote:

> I've tried to download and expand the exe for GemiNaut a couple times,
> and my antivirus (Vipre) pulls out the executable every time saying it's
> "Virus.Generic" or something. Anyone else seeing this?
>
> This is Geminaut 0.8.7 package from:
> https://www.marmaladefoo.com/pages/geminaut

Link to individual message.

Luke Emmet <luke (a) marmaladefoo.com>

Hi Jake and Pete

Pete: Its likely to be a false positive, but if you can send me any 
further context privately I'll see if there is anything I can do. 
GemiNaut is compiled from source, you can do so yourself

https://github.com/LukeEmmet/GemiNaut

Also Jake, if there is any further context you can provide about the 
domain I'll take a look. But there is nothing strange going on as far as 
I am aware.

Mutter mutter, antivirus, mutter...

Best wishes

  - Luke

On 30-Aug-2020 09:51, Jake wrote:
> This reminds me, I did have Malwarebytes freak out over the 
> marmaladefoo domain but didn't care about Geminaut itself
>
>
>
>
>
>
> -------- Original Message --------
> On 30 Aug. 2020, 4:51 pm, Pete D. < peteyboy at sdf.org> wrote:
>
>
>     I've tried to download and expand the exe for GemiNaut a couple times,
>     and my antivirus (Vipre) pulls out the executable every time
>     saying it's
>     "Virus.Generic" or something. Anyone else seeing this?
>
>     This is Geminaut 0.8.7 package from:
>     https://www.marmaladefoo.com/pages/geminaut
>

Link to individual message.

colecmac@protonmail.com <colecmac (a) protonmail.com>

Here are the results for the v0.8.7 GemiNaut ZIP[1] on VirusTotal:

https://www.virustotal.com/gui/file/304c7c7895843699c3c35fae961aaece2be46d6
790eda9adb9c848cbecc0e8e6/detection

15 anti-virus engines detetected the file as something malicious,
mostly declaring it a Trojan or "Gen:Variant.Ursu.931094".

This is likely because the ZIP contains an EXE and some DLLs, which
triggers[2] many anti-viruses.

Here are the results for just the GemiNaut.exe file in the ZIP:

https://www.virustotal.com/gui/file/df4039fa3f7804c0035636ce0e2304a027652c0
50ecf9348f2974ef93d05538d/detection

10 engines detected it this time, almost all labelling it again as
"Gen:Variant.Ursu.931094".


Hope this is useful,
makeworld


1: https://www.marmaladefoo.com/vanilla/marmaladefoo/uploads/geminaut/GemiNaut_v0_8_7.zip
2: https://github.com/Fody/Costura/issues/294

Link to individual message.

Luke Emmet <luke (a) marmaladefoo.com>

Thanks makeworld thats really helpful.

It at least explains some of it. I guess I should crack on and build a 
proper installer, rather than simply circulate a zip. I've been meaning to.

Also the scanners can probably detect that GemiNaut will make calls to 
other applications (like gemget). Of course all of that is legitimate, 
but perhaps that in itself also looks suspicious.

sigh

  - Luke

On 30-Aug-2020 17:21, colecmac at protonmail.com wrote:
> Here are the results for the v0.8.7 GemiNaut ZIP[1] on VirusTotal:
>
> https://www.virustotal.com/gui/file/304c7c7895843699c3c35fae961aaece2be46
d6790eda9adb9c848cbecc0e8e6/detection
>
> 15 anti-virus engines detetected the file as something malicious,
> mostly declaring it a Trojan or "Gen:Variant.Ursu.931094".
>
> This is likely because the ZIP contains an EXE and some DLLs, which
> triggers[2] many anti-viruses.
>
> Here are the results for just the GemiNaut.exe file in the ZIP:
>
> https://www.virustotal.com/gui/file/df4039fa3f7804c0035636ce0e2304a027652
c050ecf9348f2974ef93d05538d/detection
>
> 10 engines detected it this time, almost all labelling it again as
> "Gen:Variant.Ursu.931094".
>
>
> Hope this is useful,
> makeworld
>
>
> 1: https://www.marmaladefoo.com/vanilla/marmaladefoo/uploads/geminaut/Gem
iNaut_v0_8_7.zip
> 2: https://github.com/Fody/Costura/issues/294
>

Link to individual message.

---

Previous Thread: [ANN] glv.one - Gemini PaaS

Next Thread: Lang parameters