Octave 7.1.0 w64 - virustotal results

as mentioned at the last dev mtg, we added ‘windows viruscan via virustotal’ to the release process to try to avoid surprises. However, simply uploading the full zip/installation file is problematic as most scanners timeout on something that large. So that didn’t get done before the 7.1.0 release.

Figuring they were the most likely to be mistaken by scanners, I pulled out all dll’s and exe’s from the octave-7.1.0-w64.zip package, split them into manageable sized groups (~30MB), and individually uploaded those to virustotal. all dll’s passed. but a bunch of exe’s were flagged. virustotal links below.

selecting ‘relations’ on any of those give a list of individual files in the zips and links to individual file reports (links included with filenames below). I went through these and submitted false positive/whitelist requests where I could. McAfee flagged two, Cylance flagged two, and a couple other small ones flagged a couple, and after the requests they are already showing up as clear. A few others (SecureAge, Cynet) I got better contact pages/emails for and they responded immediately, but results are still pending. Of the remaining ones, AhnLab has never provided a useful response to their submittal address, and MaxSecure is, well, known to be problematic. they only have a form to give them a verbal description of the problem and a link to the software, internet forum anecdotes seem to indicate they rarely reply, and reported false positives can sit for years. I have provided details, however. appears to have responded and whitelisted everything they were flagging.

at least the major vendors are coming up clear.

2 Likes

I decided to go run some of these files at hybrid-analysis.com which should provide more insight into why they’re deemed ‘suspicious’. Here are some ‘suspicious indicators’ that might be triggering some scanners (report links embedded):


gspawn-win64-helper.exe

Suspicious Indicators


gnuplot_qt.exe

Suspicious Indicators


ar.exe

Suspicious Indicators

looking at some before/after - here are some side-by-sides with files that were flagged vs the 6.4.0 version that have always come up as clean:

dbus-run-session.exe, Octave 7.0.90, flagged as malicious
dbus-run-session.exe, Octave 6.4.0, scans clean

ar.exe, 7.1.0, initially flagged by MaxSecure
ar.exe, 6.4.0, scans clean

gnuplot_qt.exe 7.1.0, flagged by SecureAge
gnuplot_qt.exe 6.4.0, scans clean

cmake.exe, 7.1.0, initially flagged by McAfee
cmake.exe, 6.4.0, scans clean

I don’t know if there’s anything at any of those reports that would tell us what changed that became concerning to malware scanners.