Author Topic: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus  (Read 998 times)

john29516

  • Newbie
  • *
  • Posts: 3
VirusTotal reports that "exiftool-11.41" has the ad spyware called "HW32.Packed".

"HW32.Packed.86D1 modifies system files, add’s new folders, creates Windows tasks and shows advertisements on your computer and browser."

Please clarify if it has this.

Thank you for your help.

Phil Harvey

  • ExifTool Author
  • Administrator
  • ExifTool Freak
  • *****
  • Posts: 16885
    • ExifTool Home Page
Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
« Reply #1 on: May 11, 2019, 10:38:57 PM »
I got a clean result.

BTW, The VIrusTotal web site runs ExifTool to extract metadata from the files it analyzes. ;)
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

john29516

  • Newbie
  • *
  • Posts: 3
Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
« Reply #2 on: May 12, 2019, 12:06:21 AM »
Apparently, we have different results.

This is the VirusTotal report I received
https://www.virustotal.com/#/file/24eb2ece32535759959cc1b9ac452f89a49e9e28355b8d9a5f875ac6de903213/detection

I downloaded "exiftool-11.41.zip" from
https://exiftool.org/
https://exiftool.org/exiftool-11.41.zip

Unclear why we differ.

StarGeek

  • Global Moderator
  • ExifTool Freak
  • *****
  • Posts: 3976
Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
« Reply #3 on: May 12, 2019, 01:45:08 PM »
The difference is between uploading the file and passing the url of the zip file.  The uploaded zip file appears to run different set of tests.

That said, one checker out of 65 flags it, 1.5% of the total number checkers.  I would consider that a false positive. 
Troubleshooting hints:
* When posting, include your OS, Exiftool version, and type of file you're processing (MP4, JPG, etc).
* Double all percent signs (%) in a Windows batch file.
* If your GPS coords are negative, make sure and set the GpsLatitudeRef and GpsLongitudeRef tags correctly.

Phil Harvey

  • ExifTool Author
  • Administrator
  • ExifTool Freak
  • *****
  • Posts: 16885
    • ExifTool Home Page
Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
« Reply #4 on: May 12, 2019, 09:33:33 PM »
We have definitely seen false positives before.  Virus checkers don't tend to like exiftool.exe because it unpacks an executable into a temporary directory and runs from there.

- Phil
...where DIR is the name of a directory/folder containing the images.  On Mac/Linux, use single quotes (') instead of double quotes (") around arguments containing a dollar sign ($).

john29516

  • Newbie
  • *
  • Posts: 3
Re: VirusTotal Reports "exiftool-11.41" Has "HW32.Packed" Virus
« Reply #5 on: May 13, 2019, 12:36:56 AM »
Phil - Thank you for the clarification.

Perhaps, on the ExifTool FAQ, you might want to mention that you have no ad code like OpenCandy, "HW32.Packed", or any other nasty "got you". I am amazed how often nowadays legitimate developers add such stuff to their code so I usually ask them when VirusTotal flags something.

Thank you for developing this useful tool.