This project has moved and is read-only. For the latest updates, please go here.
1
Vote

Is VeraCrypt 1.16 malware? Two antivirus providers (Rising and Zillya) say so.

description

Hello,

I scanned the file with https://www.virustotal.com/

Results:

SHA256: aafacca9a600af5b8d66387718c984b8655905f72370bbd772baf90e57e85b7e
File name: VeraCrypt Setup 1.16.exe
Detection ratio: 2 / 55


Antivirus Result Update
Rising PE:Malware.RDM.08!5.E[F1] 20151024
Zillya Adware.CrossRider.Win32.28533 20151024

comments

idrassi wrote Oct 25, 2015 at 12:19 PM

Hi,

This is clearly a false positive!

Of course it is not a malware. I checked again on VirtusTotal and now only "Rising" is reporting a positive result: https://www.virustotal.com/fr/file/aafacca9a600af5b8d66387718c984b8655905f72370bbd772baf90e57e85b7e/analysis/1445771517/

This kind of false positives does happen from time to time with less efficient antivirus products ("Rising" seems to be a minor Chinese Antivirus that is not always reliable). Until today, non of the major antivirus products on the market has ever reported a false positive on VeraCrypt.

I'm sure that if you check virustotal again after some time, this false positive will disappear.

Slashgun wrote Oct 25, 2015 at 2:48 PM

Strange, I still get the same result as above, woth two positives... maybe my download was infected? I downloaded it here from the official site, though.

idrassi wrote Oct 25, 2015 at 4:52 PM

Your download is not infected, it is just a problem with these two antivirus products which obviously have a problem in their heuristic engine.
I have never heard of them before and clearly they are less reliable than the other major antivirus like Kaspersky or Bitdefender who are luckily more reliable.

If you are a user of one of those antivirus, you can contact them to inform them of this false positive.
I found an email address on Zillya website to submit false positive report and I did so. But I could not find an equivalent for the Chinese antivirus Rising.

Slashgun wrote Oct 25, 2015 at 6:56 PM

OK, thank you very much. In the meantime I will use version 1.0f-2, because this version shows 0 (zero) positives in any of the 55 antivirus engines on virustotal.com.

idrassi wrote Oct 27, 2015 at 11:16 PM

I found why Zillya is reporting a false positive on 1.16 installer: it is because of the use of a string indicating a Windows registry key that the installer uses to detect if system restoration is enabled or not.

Honestly, this is an indication of the poor quality of Zillya heuristic engine.

Anyway, I implemented a workaround to avoid this false positive detection by splitting the string on several parts and uploaded an installer for 1.17-BETA that contains this, and this time Zillya is not reporting the false positive: https://www.virustotal.com/fr/file/4dc17ea553b860bca2d8c452587312d4d5403488e8bcae5d26faccf433e6af02/analysis/