v6.5.1 is viewed as malware, while 6.5.0 wasn't #335
Comments
|
Virustotal claims it's clean: |
Norton is unusually bad as an AV as well 🙃. AV has a tendency to mark reverse engineering tooling as malicious. You can add dnSpy as an exclusion as described here or follow this guide to solve all your Norton-related problems. There is no malware in dnSpy added in between the versions 6.5.0 and 6.5.1. |
Norton is one of the worst, along with AVAST (which btw injects into processes and causes all sorts of other random problem/crashes). I had a trickle of false positive reports for my own app, even though it was digitally signed, until I was able to switch to Azure Trusted Signing (formerly Azure Code Signing). Even Defender would flag each new update for a few days, for some people. It was never a specific virus, just heuristics based on "omg it's a self extracting EXE requiring admin privilege" (yes it's an installer, duh?) or other ML nonsense. Our conclusion/opinion is that all AV other than Defender is complete garbage or legitimate scareware, and should just be uninstalled. If they're flagging random not-unsafe stuff as a virus then they're just trying to look "busy", and you can't trust that they're being serious about their job. |
|
Thanks for the quick reactions. I believe it is safe and I know Norton can overreact. |
|
From my experience many .NET detection rules fail to take the whole picture into account. Simple byte patterns like a few NEG NOT instructions after each other will result in a bunch of flags as crypter or loader malware. There is a high likelyhood of a coincidental match. |
|
SONAR is based on heuristics and makes assumptions, you can obviously view
all the dnspy code to see what it does to see if there is malware
(Obviously not).
The reason for things like SONAR is because most antivirus is based on
signature which can be worked around and obviously for 0day they wont be
detected, so things like SONAR try to detect potentially harmful..If you
have access to the source code of something you are using and can compile
it yourself it is highly unlikely there will be malware because it could be
obvious to anyone that sees the code
…On Thu, Jun 27, 2024, 2:26 PM Jonathan Peters ***@***.***> wrote:
From my experience many .NET detection rules fail to take the whole
picture into account. Simple byte patterns like a few NEG NOT instructions
after each other will result in a bunch of flags as crypter or loader
malware. There is a high likely hood of a coincidental match.
—
Reply to this email directly, view it on GitHub
<#335 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AW5A2RAR3VTDGQWH4JSTUW3ZJRKL7AVCNFSM6AAAAABKAF3HV6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJVGQYTOMBRG4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Closing as out of scope for dnSpy. There is nothing I can do about false positive detection by AV software. dnSpy is not malware and you can verify it by looking at the source code and if necessary manually compiling from source. |
dnSpyEx version
6.5.1
Describe the Bug
I downloaded v6.5.1 but my antivirus (Norton) went beserk and claims the .dll's and .exe's are viruses.
The dnspy.exe is classified as a SONAR.Dropper. This is highly unusual and bad.
The other files are classified as WS.Reputation.1, this isn't so bad. It just means the file is recent and has few users.
I had no issues with dnspy 6.5.0.
I went through the pushes since between 6.5.0 & 6.5.1 but couldn't find any obvious malware.
How To Reproduce
Expected Behavior
I expect Norton (and other antivirus programs) to be cool with dnspy or at least as cool as v6.5.0.
Actual Behavior
The dnspy.exe is classified as a SONAR.Dropper. The other files are classified as WS.Reputation.1. Everything is removed.
Additional Context
Note I downloaded v6.5.1 from https://github.com/dnSpyEx/dnSpy/releases/tag/v6.5.1 and not some shady fake site.
I used the dnSpy-net-win64.zip version for both versions. I verified v6.5.0 does not trigger antivirus.
The text was updated successfully, but these errors were encountered: