Antivirus false alarm of oxend.exe and oxen-wallet-rpc.exe from multiple vendors #1650
Comments
|
Update: Today someone in the Session community complains about anti-virus software reports Oxen as virus. |
|
Which AV program was reporting and on which Oxen version? |
If you follow the link in the 2nd comment (https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b), you can see the Oxen version "oxen-electron-wallet-1.8.1-win.exe" The screenshot also states which AV vendor labels Oxen as a virus, let me know if you need more specific information, I don't have first hand information either, it was reported by someone in the Session community without specific AV program name, I tagged @KeeJef in the community but you might missed that. |
|
Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers |
Thank you very much. If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach. I understand the team is busy and has its priorities. If the team's knowledge can be shared with the community, the community can apply the same knowledge and contribute more when the team is unable to free themselves from multiple tasks. |
I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well. |
Understand, thanks for sharing! I'll wait for a week and follow up next Thursday. |
|
Avast and AVG still report Oxen as a virus: Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef |
|
I'm yet to receive a reply from Avast unfortunately |
Thank you very much. Would you mind sharing a bit more knowledge? The last time you contacted Avast about the false alarm for Android sessions, how long did it take to receive a reply, and how long did it take to resolve the false alarm? |
|
I also sent a false positive report to AVG, and I received an email from support@help.avg.com a few days later. I'll |
Still haven't received anything back from them, last time i got a response within a week |
|
I received an update from Avast:
I recheck https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1 and I found both AVG and Avast updates the status to PUP (potentially unwanted program) |
|
Update: both Avast and AVG has responded again and mark the Oxen wallet as valid: AVAST
Avg
|
|
I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors |
|
Ok great!
|
|
For the record, AVG recommends that we follow their guidelines: Cryptomining Behavior GuidelinesMobile Application Clean GuidelinesPC Application Clean Guidelineshttps://support.avast.com/en-us/article/threat-lab-clean-guideline/#pc Perhaps some of these guidelines could also be useful for Session/Lokinet as well. |
venezuela01
changed the title
from
|
|
Update: I have contacted about 20 different vendors. Previously, there were about 23 vendors marking the Oxen installer as not clean; now, there are only 8. This number goes a bit up and down as sometimes anti virus vendors change their database back and forth. 
For the remaining 10 vendors marking Oxen as not clean:
For the child files like oxen.exe and oxen-wallet-rpc.exe, there is still more work to do to convince some vendors to update their database. The last good news is that I have learned some useful experience in communicating with anti-virus vendors. Hopefully, we won't need that skill in the future, but it would be beneficial if we follow those guidelines in the future for Session releases and Lokinet releases, even if we are going to abandon Oxen. In case there is any unfortunate future false alarm for Session/Lokinet, feel free to subscribe me to a GitHub issue, and I'll be glad to volunteer to contact anti-virus vendors. |
|
Thanks for your work on this @venezuela01 🙏 |
|
Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out. |
Yes, i believe we tried to remove some of this code from the wallets in a previous release? I think its worth you have a look into @venezuela01 |
I took a quick look at the code and can confirm that the RandomX code is still present in the current Oxen-core codebase. I believe this is necessary for the testnet/devnet when developers occasionally need to bootstrap the network from scratch again. (That's why I was considering disable them only for release build but keep them for debug build.) I tried a quick hack to completely remove the RandomX library dependency from Oxen-core. However, several antivirus engines from https://www.virustotal.com/ still report flags such as Conclusion: I no longer believe there is an easy way to automatically convince antivirus systems to remove the (However, the clean guidelines for the installers suggested by antivirus vendors are still valid, which is a separate topic.) |
|
Hmmmm okay, thanks for the info, fortunately this should be less of a pressing concern in the future as the Session token migration occurs |
There are Windows users reporting that their antivirus software mislabels multiple version of oxend.exe as Trojan/CoinMiner.dr
Antivirus software homepage: https://www.huorong.cn/
I guess oxen-core shares some code with Monero, and Monero was common used for coin miner viruses, as a result, Antivirus software detects similar code fingerprints from oxend.exe and misclassifies it as a coin miner virus.
I'm asking the user to upload oxend.exe to https://www.virustotal.com/gui/home/upload, will update this ticket later.
See also: oxen-io/session-android#1268
The text was updated successfully, but these errors were encountered: