2.0.112 installer contains WisdomEyes trojan (false positive Baidu?)

Baidu is reporting that the installer contains the “Win32.Trojan.WisdomEyes.16070401.950” malware and I hadn’t seen it mentioned here yet:

https://www.virustotal.com/#/file/ba9f98d20de6b94a9e6db7ab4548bf780d42e28e52192114db1bf840ef2bc035/detection

I’m evaluating similar software products and this is the first that I’ve run into one of them having a suspect installer. A cursory search of the forums here shows that this has happened surprisingly often with GlassWire.

Assuming these are all indeed false positives, can someone with the company please clarify why GlassWire is seemingly so prone to being flagged as malware?

@thane

In the previous companies I worked for it was always part of our QA process to check our installer/software with VirusTotal, and we’d almost always have at least one or two flags. I’d then contact the companies who flagged us and let them know about the false positives. I don’t think GlassWire is more prone to get flagged than anyone else.

GlassWire actually has VirusTotal built into it in its settings and I have noticed lately that some new engines they have added seem to flag things more often. I haven’t done any scientific testing of this so I could be wrong, but it just feels that way.

If you’re asking why Symantec or other billion dollar antivirus companies gets flagged less than us then it’s probably because they have relationships with the other antivirus companies, or the other companies choose not to flag them because of who they are maybe? Just guessing.

We will work harder to get on more white lists, thanks for your feedback.

Thanks for the quick reply. I did not realize that VirusTotal was integrated into GlassWire.

In any case, I’m testing on new, isolated environments. A scan performed on the files installed unfortunately yielded some additional flags :frowning: (Specifically the additional flag of TScope.Malware-Cryptor.SB in the GWUnlock.exe and/or GlassWire.exe executables).

https://www.virustotal.com/#/file/c49e1d71ff94132b86f4d216abb14efc940b70ce3eb078d2a0ce0e9bf4e1da66/detection

For now, I am manually confirming that the systems don’t contain these malware as best I can and based on the info I can find about all the known variants. I’d be lying though if I said that this didn’t make me suspect and hesitant – disappointing considering how well done and awesome Glasswire otherwise appears to be.

@thane

Why is the file you submitted to VirusTotal a .zip file? We don’t offer GlassWire in a .zip format…

I’d love to submit our files to Baidu to get the false positive fixed but their submission system will not accept our installer because it’s too large.

http://antivirus.baidu.com/en/submit-file.php

For the VBA32 report, I could not recreate this with our installer and I could find no way to submit a false positive to them. Then when I went to their website I found it had not been updated since 2012…

It was not a scan of the installer. I mentioned above that I performed “a scan of the files installed.” Specifically, I zipped up the GlassWire folder after install and scanned that.

I realize that the topic of this thread is related to the installer, so I probably should have posted that elsewhere. Apologies.

Also, I went to the VBA32 site and the News hasn’t been updated since then. But if you look at their downloads and FTP site, they have updates as new as February 7th, 2018 with Windows 10 mentioned (not that VirusTotal is using those, but worth mentioning it has been updated since 2012 :slight_smile:

As an aside, I did not add the “(false positive Baidu)” to the subject line on this thread.

So far I have not found any indication that it does contain it, but in my opinion it it still to be determined whether it is or not.

There have been far too many malware distributions via software installers in the last few years (mostly accidental due to server compromise) to assume any download is safe just because someone says it is. Everyone should investigate themselves and always assume NOT safe.

Edit: I added a question-mark to the title

@thane

Please give us details of the viruses GlassWire supposedly has and submit them to our Bug Bounty program. https://hackerone.com/glasswire

We’ll then gladly pay you $10,000 as a minimum if it’s true and GlassWire contains the “WisdomEyes” trojan, or any other trojan or malware.

Apologies for not being clear enough – I was not implying that the software has malware purposefully embedded in it. I was merely referring to the truth that there have been “Supply Chain Attacks” for software applications in the past.

If you had asked any of these organizations about their software at the time, they too would have equally and truthfully stated (as you have) that their applications did not contain malware. That doesn’t preclude the fact that they actually were compromised after published on the servers used to distribute the software.

I merely posted as a courtesy to let you guys know about the potential false positive(s) of both the installer and application post-install, and asked for clarification as to why it might be happening.

If I do find anything while evaluating the software, I’ll definitely pass the word – no payment necessary :slight_smile: Thanks for your time.

Edit: My original subject was worded a little too accusatory and didn’t match the content of my post, but I didn’t intend it to be. Hopefully the thread clarifies.

Our bug bounty does not care if a Trojan or malware is in our software on purpose or accidentally. We pay out either way.

If you’re talking about the CCleaner attack, details can be found here https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/. We are not related to CCleaner in any way at all, and their software has never been included with ours.

We agree that type of attack is scary and most companies now take extra precautions to avoid it. Of course nothing is perfect so that’s why we offer a bug bounty program so people can catch things we miss.

However, in your case we are sure it’s a false positive with VirusTotal.

Also, if you search for Baidu and WisdomEyes online you’ll find a lot of different false positives, for example this link https://www.bleepingcomputer.com/forums/t/671702/win32trojanwisdomeyes/ where the Windows audiosrv.dll file is also seen as WisdomEyes, in fact you can probably scan that Windows file on your own PC and you’ll find the same.

Here is a link that explains how VirusTotal expects their service to be used https://support.virustotal.com/hc/en-us/articles/115002094589-Why-do-not-you-include-statistics-comparing-antivirus-performance-

you can download HasTab here: http://implbits.com/products/hashtab/
Install this, is free of virus :), in exe of glasswire choose righ click with mouse and choose propries and found a tab called hastab in windows open.

Give info os hash of file for see if u have same exe of me.

if a virus changed exe of a software have other hash.

@Duque

Checking hashes is now built into PowerShell also.

Click “Start” in Windows and search for the “PowerShell” and launch it.

Get-Filehash -path c:\downloads\something.exe -algorithm SHA512 | fl

*replace the path with your actual file location with your OS. *replace the “SHA512” with SHA1, SHA384, SHA512, MD5 or RIPEMD160 algorithms if you want.

Details are available from Microsoft here https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Utility/Get-FileHash?view=powershell-5.1.