ExifTool Forum

ExifTool => Newbies => Topic started by: john29516 on May 11, 2019, 07:08:03 PM

Title: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: john29516 on May 11, 2019, 07:08:03 PM
VirusTotal reports that "exiftool-11.41" has the ad spyware called "HW32.Packed".

"HW32.Packed.86D1 modifies system files, add’s new folders, creates Windows tasks and shows advertisements on your computer and browser."

Please clarify if it has this.

Thank you for your help.
Title: Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: Phil Harvey on May 11, 2019, 10:38:57 PM
I got a clean result. (https://www.virustotal.com/gui/url/cec60fa7f0d837e13829adefaad4949f6214afa3cfd14e5959333a812c4cb59d/detection)

BTW, The VIrusTotal web site runs ExifTool to extract metadata from the files it analyzes. ;)
Title: Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: john29516 on May 12, 2019, 12:06:21 AM
Apparently, we have different results.

This is the VirusTotal report I received
https://www.virustotal.com/#/file/24eb2ece32535759959cc1b9ac452f89a49e9e28355b8d9a5f875ac6de903213/detection (https://www.virustotal.com/#/file/24eb2ece32535759959cc1b9ac452f89a49e9e28355b8d9a5f875ac6de903213/detection)

I downloaded "exiftool-11.41.zip" from
https://exiftool.org/ (https://exiftool.org/)
https://exiftool.org/exiftool-11.41.zip (https://exiftool.org/exiftool-11.41.zip)

Unclear why we differ.
Title: Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: StarGeek on May 12, 2019, 01:45:08 PM
The difference is between uploading the file and passing the url of the zip file.  The uploaded zip file appears to run different set of tests.

That said, one checker out of 65 flags it, 1.5% of the total number checkers.  I would consider that a false positive. 
Title: Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: Phil Harvey on May 12, 2019, 09:33:33 PM
We have definitely seen false positives before.  Virus checkers don't tend to like exiftool.exe because it unpacks an executable into a temporary directory and runs from there.

- Phil
Title: Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
Post by: john29516 on May 13, 2019, 12:36:56 AM
Phil - Thank you for the clarification.

Perhaps, on the ExifTool FAQ, you might want to mention that you have no ad code like OpenCandy, "HW32.Packed", or any other nasty "got you". I am amazed how often nowadays legitimate developers add such stuff to their code so I usually ask them when VirusTotal flags something.

Thank you for developing this useful tool.