Today I got the problem of anti-virus. Some of my cameyo apps are infected.
The anti-virus shows that my apps are infected. Then I uploaded them to metascan and VirusTotal, and the result is that the files are detected by so many engines (~14 engines), such as Kaspersky and F-secure, that they are infected. So it should not be false alarm only.
So I then found the problem: the main executable: Cameyo 2.0.829 is infected. I don't know if others are getting this problem, and so I post here to see if everyone is having the problem.
Now I want to package the application in the Online Package page, but it seems not working well today. I will figure it out tomorrow.
I send my application installers to metascan and they are all clean.
Did you download Cameyo-2.0.829 from the official site? I uploaded build 829 to VirusTotal and it received a score of 1/45, which is indicative of a false positive. Results here.
Yes, recently antivirus started reporting Cameyo and Cameyo-built apps as infected, for some reason. We've already contacted Symantec and reported the false alarm, which they accepted and fixed.
We're calling for Cameyo users to please report the false alarm to their anti virus companies (and don't worry, their experts do all the work to check that this is NOT a virus but a false alarm). This is where we need you guys' help...
It seems that the problem only exists in Cameyo 2.0.829 For example, extension changer: https://www.virustotal.com/en/file/d333d779c551c11178e04eb05ea99c0fb8d67bb194bd5a9db1219fa58e58783d/analysis/1365187119/ but the installer is not having any problem: https://www.virustotal.com/en/file/0c3ed2171a70394a186fc2a18be050d9caecbbd38b514a9a2bd0d45b55a3b33d/analysis/1365768784/ I will package it again to see if there will be a problem. But there are no problems in other packages.
By the way, the online package seems not working. After the packaging succeed, and I click the download link. It links to a blank page and no file can be downloaded. Is there some problem? link here: http://online.cameyo.com/submitted.aspx?reqId=635013652372778349
the blank site: http://online.cameyo.com/packager.aspx?op=Retrieve&pkgId=635013653448448110
Here are virustotal results for Extension Changer installer. At 1/46, we can assume it's a false positive. I built with Cameyo-2.0.832 like yours; it can be downloaded here, and these are virustotal results. At 1/46, again I think we can assume it's a false positive.
Here are virustotal results for RobotProg installer. At 4/47, I would like to give the benefit of the doubt and think that the four flags are overzealous. I built with Cameyo-2.0.829 like yours; it can be downloaded here and these are virustotal results. At 2/46, I think it is probably okay.
Downloads of your packages of Extension Changer and RobotProg gave different virustotal results (20/46 for Extension Changer and 8/46 for RobotProg), which makes me think the machine in which the packages were built was possibly already infected.
Sorry, but here is still a problem: these are my package that have been made recently. Today my AVG anti-virus told me to remove all the application But after I upload them to VirusTotal, the result is that only AVG said that the packages are infected. Example here: 1. Greenshot 1.1.1.2550RC1: https://www.virustotal.com/en/file/a49209e4427aeb0d8cd73d8e2eb9c6b0cf295eaf165150a8961faf568349e984/analysis/1366629793/
2. A Note: https://www.virustotal.com/en/file/84bf231ed7b6d1315f57b9670143f45374aa920d5673f292abe570e0cb8db617/analysis/1366630070/
3. I even uploaded my Cameyo 2.0.873: https://www.virustotal.com/en/file/e7db62003dc3276904abfd066d2886656f6ab3a755f5864367c580ad2d668991/analysis/1366630236/ Do I get the right one? I remember that I downloaded the package at the official site. Is its SHA256 code e7db62003dc3276904abfd066d2886656f6ab3a755f5864367c580ad2d668991?
4. Even VirusTotal uploader https://www.virustotal.com/en/file/76e7f41c5248d2bd87dbc1961e2bc7dbd12a7cab3628d4c97e99e257e038667b/analysis/1366630463/
Does anyone have a package that AVG will treat it as virus? Please post the result here. Thanks.
Yes, the SHA256 for your Cameyo-2.0.873 matches the official build. This is an example of a false positive that Cameyoco mentioned in the third post and asked for users' help in reporting these to the anti-virus companies that label Cameyo and Cameyo packages as infected. As he said, the anti-virus companies will do a thorough check, so you don't have to worry that a report will allow a truly infected file to be marked clean, nor do you have to worry that the anti-virus companies will make you do a lot of work for reporting false positives.
The issue came up on a computer running Avast Free Antivirus. I contacted their technicul support people and here's what they had to say abou it:
Hello,
Thank you for contacting AVAST Software company with your concerns.
Files are encrypted and unfortunately they use similar code as other viral samples. Best recommended is put those in exclusions.
Miroslav Jenšík AVAST Software a.s.
And here's my reply:
Hi,
I'd like to once again draw your attention to the fact that I have no administrator privileges on my PC. Therefore, adding the file to the exclusion list is not an option since my AV settings are password-protected. You had the chance to see that the file isn't infected with any malware and poses no danger whatsoever. The reason why Avast identifies it as a threat is because it fails to scan the encrypted sections of the code, not because the code resembles malware. Here, take a look at what other major AV brands, such as Kaspersky, McAfee, NOD, and DrWeb, had to say about this:
Don't be too frustrated... Last time I reported the issue to AVG. I am using AVG Anti-Virus Free 2013 and I am sick of the issue. It is very annoying. Worse still, no people reply me. Even Avast! is better. But I still don't know if it is the problem of Ghost Capture (or the traditional mode). I found it very stable if I package my application by Online Packager. You may try it, but don't be too confidence in that. I think it is time for the Cameyo manufacturer to contact the anti-virus company...
I packaged Torch, deleted the Installer and Profile directories so that it would be small enough to fit within virustotal's size limit, and received these results. My package can be downloaded here.
Hmm... Interesting... I don't even know what to say... I re-submitted the file but virustotal came up with the same results:
perhaps your package captured activity that resulted in encrypted files being contained therein
No chance. I captured both snapshots on a pristine clean copy of w7 installed within Virtualbox. So no encrypted files could have ended up inside the packaged app. My guess is, there are no 'encrypted files' but for the ones inside the Avast people's heads. They can't be bothered 'cause it'll will take messing around with the virus definitions, which none of them wants.
Maybe my virustotal results differ from yours because the antivirus updates may have been slightly later.
That's a possibility.
-- Edited by chupacabras on Wednesday 15th of May 2013 02:01:48 PM
-- Edited by chupacabras on Wednesday 15th of May 2013 02:39:47 PM
Chupacabras, thank you for taking the time to report to Avast. And for responding when Avast replied. And for trying to educate Avast.
I'm curious about the encryption that Avast mentioned because Cameyo does not encrypt files. Would you do me a favor and have virustotal scan your package again?
I packaged Torch, deleted the Installer and Profile directories so that it would be small enough to fit within virustotal's size limit, and received these results. My package can be downloaded here.
Maybe my virustotal results differ from yours because the antivirus updates may have been slightly later. If you have virustotal scan your package again and receive similar results to what you did the first time, perhaps your package captured activity that resulted in encrypted files being contained therein. If that's the case, I would be interested in seeing your package to see what files your package has that mine does not have.
My loader's SHA1 code is 21d435110b43be297c96e5e3b266a12fd1d89ef4. I changed the loader of some of my application. I choose ScreenSharp as an example. Before changing, the result is here (20)
https://www.virustotal.com/en/file/230c754f3dc382cabbd85389333d23fc46c3095268e933254df30c9305a7eb0d/analysis/1368703324/ ,which is consider as a false alarm, although I am using AVG now...
However, the package cannot be started after I change the loader.
Here is my package:
http://www.mediafire.com/?vf4r5iiacvkzzfl
And it will really be a disaster if I have to change the loader of all of my application. I will figure it out later...
-- Edited by tony200910041 on Thursday 16th of May 2013 04:36:15 AM
Chupacabras, thank you for uploading your package. I checked it out and your Cameyo Loader.exe is different from mine. Changing the Loader of your package to the Loader of my Cameyo, I received different results from virustotal.
Would you mind uploading your Loader.exe? The default location is %AppData%\VOS\Cameyo\%Program Files%\Cameyo\.
Trying to download your package resulted in the download session being aborted for security reasons ))) I got a red-hot pop-up alert from Avast notifying me that the file is infected with a trojan. So, I don't think changing a loader would make much of a diffrence in my case....
I think it's the compression algorythm used by Cameyo that causes all output packages to be falsely identified as malware.
-- Edited by chupacabras on Friday 17th of May 2013 03:42:58 AM
-- Edited by chupacabras on Friday 17th of May 2013 03:44:18 AM
Tony200910041, the SHA1 of your loader matches mine. Would you please upload these two things?
1. The original Loader.exe with which ScreenSharp was built, i.e. the one that caused the virustotal result of 20 2. The original ScreenSharp package so that I can try to see why changing the Loader resulted in a package that won't launch
Oh no. Today I am experiencing another issue. Cameyo crashed when starting up. My computer seems having some problems. My .NET Framework update failed, and I have tried to download the installer again. And the .NET Framework 4.0 installer cannot start in my computer. I don't know why. Maybe I will figure it out later. The process stopped automatically after about 2 seconds I double click the installer. At first I think it is only the problem of the .NET Framework 4.0 installer. Somehow I didn't notice that the problem existing in other program. About 15 minutes before I start Cameyo to work on the portable applications. Then the startup of Cameyo failed, just like the .NET Framework installer. Probably it is because of the problem of .NET Framework. I will reinstall all the version now...
Tony200910041, the Loader.exe you uploaded is from the current build of Cameyo (2.0.882). The one I was seeking was the one that was used to build ScreenSharp originally, which appears to have come from Cameyo-2.0.873. If it's easier to upload your Cameyo-2.0.873 instead of Loader.exe from Cameyo-2.0.873, that will work for me.
Also, how did you change the Loader to get the package that wouldn't launch? When I apply -ChangeLoader to your original package, it still launches, and yes, the virustotal results reduce substantially.
I change the loader by command line. I just create a shortcut and change the target, adding the parameter -ChangeLoader %AppData%\...\Loader.exe. I copied the local address so it won't be wrong. Here is my Cameyo 2.0.873. It was downloaded at cameyo.com. http://www.mediafire.com/?32wddbs8jq7n6ep SHA1: b6b96b21ebfb88f26ff966d7ec8c1115a8babec0
Tony, We'll still need to look at your Loader.exe, not just the Cameyo-2.0.873.exe (the Loader.exe could have been replaced / infected, for example). Any chance?
Most likely not. After I use the 2.0.882 version, the folder %APPDATA%\VOS\Cameyo has been covered. Let me use Glary Undelete to scan my C drive, but it hardly succeed. The only thing is to wait for scanning.
Probably I made ScreenSharp by the 2.0.873 version, with the link in the earlier post.
In fact I introduced Cameyo in my blog and so I keep the last versions.
Here is the link, but I am not sure if I downloaded them in cameyo.com. Only the 2.0.882 and 2.0.873 builds are downloaded from cameyo.com.
That's all. It is better to deal with them in a virtual machine...
I am now using PortableApps.com launcher to replace Cameyo now, so that I can still use my portable applications. However, Cameyo provides a better virtualization and also easier to use. Please cope with the issue. Especially I am using AVG and I set a folder as a virus exception. The infected notice is really annoying. If there are more than 10 engines in VirusTotal, especially AntiVir, Kaspersky, F-Secure and McAfee, said the package is infected, I will delete it. It is only a temporary workaround.
(edited ) Oh no. The Loader.exe cannot be found by either Glary Undelete or Wise Data Recovery. Sorry.
-- Edited by tony200910041 on Monday 20th of May 2013 03:22:33 AM
-- Edited by tony200910041 on Monday 20th of May 2013 03:28:42 AM
-- Edited by tony200910041 on Monday 20th of May 2013 06:20:34 AM
So, what about my case? Have you tried installing Avast on Virtualbox or VMware Workstation and running apps packaged with Cameyo? I suggest you do because that way you'll see that playing around with loaders is no solution at all. I couldn't even save the ostensibly 'clean' Torch browser made by mule due to the virus alert brought up by Avast.
Update: Hmm... I tried downloading mule's package again and it all went off without a hitch this time. But mine is still detected as a threat ((( Avast seems to be blowing cold and hot on this one...
-- Edited by chupacabras on Monday 20th of May 2013 04:03:21 AM
I am going to erupt... This video is recorded by oCam which shows my situation. After I opened Cameyo, it crashes. http://www.mediafire.com/?1q8a321l6mn9vyv At t=10s of the video, Cameyo started and then crashed. Only the welcome screen appeared for a second. Please help.
-- Edited by tony200910041 on Tuesday 21st of May 2013 06:33:40 AM
Sorry, but today the situation is deteriorating. After a Windows update of .NET Framework 1.0, Cameyo failed to start. The welcome screen appears for about 1 second, and then crashed. Now I think it is time for me to stop working for portable application and fix my computer, at least turn off the Windows update.
By the way, the Loader.exe cannot be found. Better to extract it from those Cameyo package.
(update) And also finish fixing the issue. I uninstall all .NET Framework version and then install them again. Cameyo starts now.
However, I really think that it is better to package an application by Online Packager. It is more stable and the result is better -- the package won't be treated at infected. Let's try it.
-- Edited by tony200910041 on Tuesday 21st of May 2013 08:38:43 PM
Cameyoco is still very interested to see your Loader.exe that was used to build Torch. Your package had a section in it that was completely different from the way Cameyo packages apps.
This is unrelated to Avast's occasional false positives. When I uploaded my package of Torch, Avast okayed it. The next day Avast marked it as infected. I reported it to Avast, and the next day, Avast okayed it again. That explains why when you tried to download it the first time, Avast didn't permit it; however, when you tried again, Avast allowed it.
Please upload your Loader.exe for cameyoco to examine.