Chrome falsely identifies XOWA as malicious software
A free, open-source, offline Wikipedia application
Status: Beta
Brought to you by:
gnosygnu
Menu
▾
▴
As originally reported here: https://sourceforge.net/p/xowa/discussion/general/thread/d3a872e1/
Chrome is blocking the download of XOWA Windows 32-bit and 64-bit zip files. It is displaying the following message: "xowa_app_wind...zip is malicious, and Chrome has blocked it."
I don't know what triggered this warning. I believe this is due to a recent change in google or sourceforge policy. Ironically, XOWA itself has seen the fewest number of changes over the lasat few weeks (I've been busy with other matters).
I've opened up a ticket with sourceforge here: https://sourceforge.net/p/forge/site-support/9036/ . I will also post updates here. In the meantime, please use a different browser to download XOWA. I'd recommend Firefox, but any other browser should do.
Thanks.
I did some tests with online virus scanner and xowa:
Virus Total:
For xowa.exe (32 bit);
"Byte hero" has a false positive (heuristic):
(maybe because of JSmooth; Java exe wrapper?)
ByteHero Virus.Win32.Heur.c 20141201
https://www.virustotal.com/en/file/58c287110f6ff7b22ff952d971937f9e857087d09b12a9ebed53c57822ffac50/analysis/1417465515/
http://www.virscan.org/
Clamav says it is a PUA packer (who cares?)
http://r.virscan.org/report/8c831857b411767bfbfddbdc121101f1
http://r.virscan.org/report/efe0bd2ffd015c1b30f5122dde9f6426
Jotti:
ClamAv also find a PUA Packer
xowa.exe - Jottis Malwarescanner
http://virusscan.jotti.org/de/scanresult/6098fe4eca1ef64e13e7e940c74b25e37a77d5e3
xowa_64.exe - Jottis Malwarescanner
http://virusscan.jotti.org/de/scanresult/33cec1393a53a855685388220c41415354cfd1d1
ClamAV for VirusTotal does not mention a PUA Packer (maybe they use the default flag for PUA:
--detect-pua[=yes/no(*)]
Virus Total:
FAQ - VirusTotal
https://www.virustotal.com/en/faq/
"...
VirusTotal is detecting a legitimate software I have developed, please remove the detections
VirusTotal acts simply as an information aggregator, presenting antivirus results, file characterization tool outputs, URL scanning engine results, etc. VirusTotal is not responsible for false positives generated by any of the resources it uses, false positive issues should be addressed directly with the company or individual behind the product under consideration.
We can, however, help you in combatting false positives. VirusTotal has built an early warning system regarding false positives whereby developers can upload their software to a private store, such software gets scanned on a daily basis with the latest antivirus signatures. Whenever there is a change in the detections of any of your files, you are immediately notified in order to mitigate the false positive as soon as possible.
..."
ClamAV and PUA Packer:
Documentation
http://www.clamav.net/doc/pua.html
"...
Potentially Unwanted Applications (PUA)
ClamAV supports the detection of so called PUAs. At the moment the following categories are available:
Packed
This is a detection for files that use some kind of runtime packer. A runtime packer can be used to reduce the size of executable files without the need for an external unpacker. While this can‘t be considered malicious in general, runtime packers are widely used with malicious files since they can prevent a already known malware from detection by an Antivirus product.
..."
Documentation
http://www.clamav.net/doc/misc-faq.html
"...
What is PUA? I get a lot of false positives named PUA.
With the release of ClamAV 0.91.2 we introduce the option to scan for Potentially Unwanted Applications.
The PUA database contains detection for applications that are not malicious by itself but can be used in a malicious or unwanted context. As an example: A tool to retrieve passwords from a system can be useful as long as the person who uses it, is authorized to do so. However, the same tool can be used to steal passwords from a system. To make use of the PUA database you can use the –detect-pua switch for clamscan or enable it in the config file for clamd (add: DetectPUA yes).
At this point we DO NOT recommend using it in production environments, because the detection may be too agressive and lead to false positives. In one of the next releases we will provide additional features for fine-tuning allowing better adjustments to different setups. NOTE: A detection as PUA does NOT tell if a application is good or bad. All it says is, that a file MAYBE unwanted or MAYBE could compromise your system security and it MAYBE a good idea to check it twice.
..."
Last edit: Anselm D 2014-12-01
XOWA.exe (32 bit)
File scan results from Metascan Online | Free virus scanning tool
https://www.metascan-online.com/en/scanresult/file/76571c5ef313478fa3e85e8a467a68e7
ByteHero 4352 ms Dec 02 2014 Virus.Win32.Heur.c Infected
What To Do With a False Positive Detection | OPSWAT Blog
https://www.opswat.com/blog/what-do-i-do-if-engine-detects-my-safe-file-threat
"...
Metascan Online automatically shares potential false positives with the anti-malware engine vendor when the detection ratio is lower than a specified threshold (unless you are using the private API or host Metascan yourself). However, if you believe any of the engines falsely detected your file as a threat, you can help the vendor improve their detection rates by submitting your file to the vendor manually using the links below:
...
ByteHero - Submit false positive to support@bytehero.com.
..."
xowa.exe (64 bit)
File scan results from Metascan Online | Free virus scanning tool
https://www.metascan-online.com/en/scanresult/file/ea2bc99aa1ca46008195fbb84a0d15fa
Antiy 8018 ms Dec 01 2014 (1 day ago) Trojan/Win32.Zbot[SPY] Infected
Antiy - Submit false positive to submit@antiy.com.
Last edit: Anselm D 2014-12-02
Sorry for the late reply.
Thanks for the links! It looks like xowa.exe and xowa_64.exe are being flagged by 1 of the anti-virus scanners. That is odd since xowa.exe is generated by jsmooth and xowa_64.exe is generated by launch-4j. Neither wrapper does anything more than wrap the jar and the icon (i.e.: there is no other logic / resource embedding)
Sourceforge sent me a basic trouble-shooting email yesterday. Hopefully it will yield more info. I'll post more if they find anything.
Sometime in the future you can try, if it is better to put version/meta information into the exe file.
Launch4j - Cross-platform Java executable wrapper
http://launch4j.sourceforge.net/docs.html#Configuration_file
Thanks. I'll keep that in mind. However, keep in mind that the zip is being flagged, not the exe. Also, I think that Chrome is flagging XOWA because of Sourceforge. I don't get the same warning when I download the github release: https://github.com/gnosygnu/xowa/releases/download/v2.6.4.1/xowa_app_windows_64_v2.6.4.1.zip
Thats fine, but the virus scanner flags the exe file.
File scan results from Metascan Online | Free virus scanning tool
https://www.metascan-online.com/en/scanresult/file/ea2bc99aa1ca46008195fbb84a0d15fa
Launch4j - Cross-platform Java executable wrapper
http://launch4j.sourceforge.net/changelog.html
Changes in version 3.7 (01-03-2015)
Cool. Thanks for the link.
I updated my launch4j now and built a new exe. This will be part of the next release.
I've uploaded the file below. I've also run it against metascan-online and received no virus warnings: https://www.metascan-online.com/en/scanresult/file/2f9a288091e040c4a6e041f80e59eac6
Let me know if there's anything else. Thanks again for the help!