VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus

Started by john29516, May 11, 2019, 07:08:03 PM

Previous topic - Next topic

john29516

VirusTotal reports that "exiftool-11.41" has the ad spyware called "HW32.Packed".

"HW32.Packed.86D1 modifies system files, add's new folders, creates Windows tasks and shows advertisements on your computer and browser."

Please clarify if it has this.

Thank you for your help.

Phil Harvey

I got a clean result.

BTW, The VIrusTotal web site runs ExifTool to extract metadata from the files it analyzes. ;)
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).


StarGeek

The difference is between uploading the file and passing the url of the zip file.  The uploaded zip file appears to run different set of tests.

That said, one checker out of 65 flags it, 1.5% of the total number checkers.  I would consider that a false positive. 
* Did you read FAQ #3 and use the command listed there?
* Please use the Code button for exiftool code/output.
 
* Please include your OS, Exiftool version, and type of file you're processing (MP4, JPG, etc).

Phil Harvey

We have definitely seen false positives before.  Virus checkers don't tend to like exiftool.exe because it unpacks an executable into a temporary directory and runs from there.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux/PowerShell, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

john29516

Phil - Thank you for the clarification.

Perhaps, on the ExifTool FAQ, you might want to mention that you have no ad code like OpenCandy, "HW32.Packed", or any other nasty "got you". I am amazed how often nowadays legitimate developers add such stuff to their code so I usually ask them when VirusTotal flags something.

Thank you for developing this useful tool.