Latest Picard version malicious?

#1

Hello.

I usually just quickly run executables through a virustotal scan, but this time I also gave hybrid-analysis a go, and it turns out that the latest download version, the 2.1.3 for Windows, comes up as malicious.

Are all these false positives?

https://www.hybrid-analysis.com/sample/31ae62b6adbdc9e1278c12f12b5f37367693f4a59861a8244d722ab732fb4755

Thanks.

0 Likes

#2

Which of these functions seem to be malicious to you?

Virustotal.com has only 2 of 63 scanners which complain. At least 26 people call it OK.

I would say: False positive :wink:

3 Likes

#3

Yes, that’s a false positive. For the installer we use a software called NSIS, which is widely used. And looking at that strange report most of this seems to be based on what the installer does.

We have changed a few things in the installer, maybe this just rose the threshold since more of the heristics now find something. E.g. we fixed detection of a running Picard instance (might trigger “Application Window discovery”), enabled uninstall of older versions (might trigger things like “Query Registry”, “File deletion” and “File and Directory Discovery”) and checking if install folder is “Program Files (x86)” (again “File and Directory Discovery”).

IMHO marking this as malware based on the reported characteristics is mostly non-sense, because if an installer needs to do it’s job it needs to do all these things. I just wonder how they get the idea of “Email Collection”?

5 Likes

#4

Probably because previous versions did not trigger anything, so that’s why I became a bit cautious.

Thank you very much for your help!

0 Likes

#5

You can click on the 3 coloured indicator buttons or the blue “View all details” button
(on the original site of course, not in this picture :wink:)

Then you get this:


and
PicardScan%20%233

I have no idea why the pattern match “1@eon1.j” should be a potential E-Mail address and why this should be suspicious.

The only not that obvious “finding” is this

PicardScan%20%235

Again: I have no idea, why this string should be an indicator for VNC and if or how this is used in Picard.

3 Likes