[FALSE POSITIVE NOTIFY] - Weird update on Virus Total database

[thefrogline]

Hi, I’ve been using XSeries for a long time and I have no doubt that it’s very good and also safe, as it’s even open source. However, I work on plugin commissions, and I’ve been using XSeries for a year now, but just this week several people have been unable to download what I do, as it’s flagged as a virus. I tried removing all the libraries, and I realized that it came from XSeries. I mainly wanted to confirm if everything is okay with the library and so on. I attach evidence of the same jar, only removing the XSeries.

(maybe it comes from something else, I don't think so, but hey, sorry if it's nonsense but it's something to know haha)

maven version:

com.github.cryptomorin
XSeries
9.3.1

edit: with last version (9.6.0) happens the same issue

[CryptoMorin]

The Log4J vulnerability warning has nothing to do with XSeries, because it doesn't even log anything.
As for Java Trojan warnings, the plugin does not access any of system's APIs, even files (except for NoteBlockMusic and XParticle classes)
So I don't know where to even look to diagnose the issue.

[LOOHP]

My plugins that use this library also got flagged as malware and some of my users are understandably concerned. Once upon a time when I used method handles instead of reflection I also triggered some antivirus. So it might be some code that could have accessed system resources but wasn't used for that purpose.

[CryptoMorin]

My main plugin other than XSeries, also uses a lot of system APIs and extreme reflection to mess with class loaders and other "suspicious-looking" code, but VirusTotal is totally (no pun intended) fine with it. It's not obfuscated. (It doesn't shade XSeries itself tho)

https://www.virustotal.com/gui/file/f4b703e21e1e06d9c7604f28e1dbb73597eb5141f630cbba674f7445b5939ca2/detection

[thefrogline]

Hello, I was able to find an antivirus that gives me the path of the problem (windows defender only told me the name), I just looked and compared it with the repo code, it shows that it is a false positive, I don't see anything honestly strange, I'll still leave the photo here in case you want to review

[CryptoMorin]

Hello, I was able to find an antivirus that gives me the path of the problem (windows defender only told me the name), I just looked and compared it with the repo code, it shows that it is a false positive, I don't see anything honestly strange, I'll still leave the photo here in case you want to review

That's very interesting. Could you please name the anti virus that you used? Also, would it be possible to exclude XSound from being shaded to see if switches to detecting another class?

If it failed, try copy pasting XSound directly to your own project instead of shading it to see if it still detects it.

I don't know what separates that class from others. Maybe the CompletableFuture usage?

[thefrogline]

Hello, sorry for the delay, the antivirus is: "BitDefender" has a free version and it is the same, and do you think you can tell me how to exclude shaded, please?

[CryptoMorin]

Hello, sorry for the delay, the antivirus is: "BitDefender" has a free version and it is the same, and do you think you can tell me how to exclude shaded, please?

It's in the readme page.
For SkullUtils it'd be

<exclude>com/cryptomorin/xseries/SkullUtils*</exclude>

[LOOHP]

Now it seems to be the switch statment in isItem(material) in XTag which is causing false positives. This is from the source file XTag$1.class, which when removed from XSeries-9.7.0.jar stops it from being flagged.

https://www.virustotal.com/gui/file/ab72a4c20c91848f62f1dfb57f72be1e58d978eda8439cfa5e750a2c762c6dcf

[CryptoMorin]

I'm really unsure why it'd flag that method specifically. Because there are other methods that use even longer switch statements like that.

[LOOHP]

I believe this can be closed now as it is no longer triggering positives in the latest version.

[CryptoMorin]

Huh, that's weird. That's great to hear tho. Thanks for checking.