Plugins being detected as virus

[NarrikSynthfox]

V0.6, all .dlls, .exe, and .vst3 are being detected as malware.
I'd like to assume false positives, but removing the plugins just to be safe for now.

boobtube
dll - https://www.virustotal.com/gui/file/bf71525989097e244446ef482f86c6eb707c5e4c9238cf525017520a25731ac4
vst3 - https://www.virustotal.com/gui/file/2abc8124982e5a42f996860e353a044013839355402adba8e4bac6684fb68219
exe - https://www.virustotal.com/gui/file/fda0748cbfa3e5b8f5af650cbb29c1c76b3c6a2877ea6599cb5ae0e98cda1d9b

collisiondrive
dll - https://www.virustotal.com/gui/file/ed9bd4667b605df2cc0b9ec4255551fe297ab11f70e70693b24693bcd301bc7a
vst3 - https://www.virustotal.com/gui/file/93b1043218f3e5a71ebcfb2ae0601cfd77989bf53c18ebab007ec5fca252b9fc
exe - https://www.virustotal.com/gui/file/88319a7293cab5895a59ec70fba77da549181124ad0eb7280380289aa2dccaff

metaltone
dll - https://www.virustotal.com/gui/file/c66042dc7ed4a5410fd1ccab4904a8aa65045474c8ac10125bc78d6f3e7911f7
vst3 - https://www.virustotal.com/gui/file/33da6eb80eef4657cb1c9f7625e081dffcbffb702379dff9332da4df44238e09
exe - https://www.virustotal.com/gui/file/3f15d5ffbc4e1684007e7d8469632f4627e9ca3e809b11d327f1ea33a34a41d2

rumor
dll - https://www.virustotal.com/gui/file/a1d9529231149f71e4277127795279f1e60a6e3abfcb2aba380e44d81da65f6a
vst3 - https://www.virustotal.com/gui/file/d5d0215f5d3e9e6592943d8b7f0ea90c3f8bdad844bdee6e80aef5fad17c816f
exe - https://www.virustotal.com/gui/file/29a1a9b396003161965efdc86cbdca5b9259a32e3701fa0be3f774c99e5a3a05

tubescreamer
dll - https://www.virustotal.com/gui/file/d83f71d0e9ac52b6e55a38848bd01f17264dd1b4c6a0e51cede399f14941331c
vst3 - https://www.virustotal.com/gui/file/8cf3f3c78348b6081e365f619b949e129dd19362be84201d492883630739786d
exe - https://www.virustotal.com/gui/file/8d310c5540f3a3b433a920ca14672c06b718d734e90bea93a60308ed8796831c

valvecaster
dll - https://www.virustotal.com/gui/file/39176496217f88775b1a0e912db9ac92f848f186cec89c992fe8124dbabd69a9
vst3 - https://www.virustotal.com/gui/file/e21fc007d7df5086bd8b76298a933f7897f44684314712fc71c2e782cd2d9597
exe - https://www.virustotal.com/gui/file/95f4678617a93c5f9ff62428f93ce9a15e14fd5b172ccee4ef2022dcce89065f

[brummer10]

Hi
I've no idea how that could be. The source code is developed on a Linux machine and the compilation is done on github service here: https://github.com/brummer10/ToneTwistPlugs/actions/runs/6441148560/job/17490691227

[brummer10]

I run then now to https://www.hybrid-analysis.com/
I see the detected "malware" is
Found VM detection artifact "CPUID trick"

Well, we detect the CPU to know which de-normal protection should be enabled.

[NarrikSynthfox]

Ah, well, hm. Is it something that's different between Intel and AMD CPUs, or something else? Maybe it could be possible to instead have different versions of the plugins?

[brummer10]

I dig a bit deeper and talked with other developers about this issue. The point is, that we use mingw to build the binaries. Now, win32 tools labelling anything build this way as malware.
Happen to many open source projects, here is a example:
https://community.vcvrack.com/t/download-vcv2free-false-positive-virus-detection-windows-11/14990/6

So, I'm sorry, but there is not much I could do.

[NarrikSynthfox]

Read somewhere that adding -O3 to the command for compiling stopped it from detecting as a virus, maybe the better optimization helps? It would be slightly slower but could fix the problem.

[brummer10]

Yep, unfortunately it is already at -O3.

[NarrikSynthfox]

Hrm. Maybe there could be a way to contact people at the companies that made the antiviruses that detect it and report a false positive?

[brummer10]

I've send a report to virustotal, let's see if that helps.

[brummer10]

So, Response was very quick. But, See yourself.
`Hello,

VirusTotal only aggregates data from a variety of vendors. We produce no verdicts of our own and as such, we can’t modify these results. We are not intended to be an authoritative reputation engine, but rather provide intelligence and context to users so that they can make the best decision. 1/60 and even 5/60 doesn’t automatically mean “Bad”, and 0/60 doesn't always mean good. Each decision on whether something is malicious ultimately the responsibility of users or the security vendors who use the data to improve their services.`

[NarrikSynthfox]

That's why I was suggesting to report the false positives not to virustotal, but the companies whose antivirus programs detected something in the plugins.

[brummer10]

But, what should that help? The current release may be backlisted on there detection engines and as soon I push a new release it is back in the report. Feels a bit like Don Quijote to move this way.
I mean this mingw issue has a looooonnnngggg history, and if they be able to find a way to solve that, it should be done already.

[kastru]

same here for the 32x version for windows. the 64x version doesn't even download

[brummer10]

we are now at version v0.7 Older versions been removed already. Check here:
https://github.com/brummer10/ToneTwistPlugs/releases/tag/v0.7

But still, they may be detected as malware by some virus protectors. The issue still remain. I've contacted the scan providers which analyse them as infected, but, never get a answer. However, windows defender is fine with this new release.

[overdark33]

Windows defender detected these as malware (wacatac) on the latest version.