Virustotal shows threat in Github App for Windows!

[wwzsocki]

VirusTotal shows threat in Github Application for Windows.



Yesterday I wanted to download Github Application for Windows and made a fast check, as always, with VirusTotal and I was surprised to see this:



Here the exact link to download file: https://central.github.com/deployments/desktop/desktop/latest/win32

File Names
Setup.exe
GitHubDesktopSetup.exe
GitHubDesktopSetup (1).exe
githubdesktop.exe

Basic Properties
MD5   492e496406894acdcc80c942f5ddaa8d
SHA-1   c08d31d7db34ab452ce53fad7b6e9897763f2c84
Authentihash   069771af97dff6f48acd4b7b411298a22ef18961746257b6776230f48f51387b
Imphash   2c9272f30a1012b4a769b1c5f04f6e17
File Type   Win32 EXE
Magic   PE32 executable for MS Windows (GUI) Intel 80386 32-bit
SSDeep   1572864:CH0bXaqoTQgEWW8vYbq6T/fZrmWt32tqUzFoWun5TxStNx1oHijiCwQb0K7IIj:oB4JzfZKWtYqUWPn5Tstz1b0Mj
TRiD   Win32 Executable (generic) (42.7%)
OS/2 Executable (generic) (19.2%)
Generic Win/DOS Executable (18.9%)
DOS Executable Generic (18.9%)
File Size   80.53 MB

Maybe this is only false positive detection but the description of Trojan.DR.Agent virus looks scary:

Trojan.DR.Agent. - is one obscure computer infection that can be implemented for additional malware propagation into your operating Windows system. If you are wondering how this application entered your PC, it is extremely difficult to answer this question. Schemers work hard to implement more and more security loopholes for each of their creations. If your personal computer is not guarded by legal software, there are no doubts that these security cracks and gaps are creating vulnerabilities. Overall, to be on the safe side, you should never open spam email attachments, click on suspicious links, download pirated files, trust freeware software or employ unfamiliar removable devices. All of this could help schemers to infect your computer with all sorts of malware, some of which could be extremely difficult to remove.

Always when I download something, doesn't matter what and from which source, I check it for malware, viruses. Always use as the first tool VirusTotal and check the link to download file.
This is strange because when I checked this link: https://central.github.com/deployments/desktop/desktop/latest/win32, VirusTotal shows no threat at all.



As you see there is no virus in the link but after I have downloaded and checked the file one more time VirusTotal shows this Trojan.DR.Agent virus.

Tried to find more information about this virus in Github Application for Windows on the web and I was only able to find a discussion in Github from a few years ago about the same issue with old download file from 2017. I think is better to let the community know because not many people are aware of this threat.

[1715254723]

1715254723

[1715254723]

1715254723

[1715254723]

1715254723

[1715254723]

1715254723

[TryNinja]

C'mon, only Yandex (??) detected it as a virus. Obvious false-positive.

Your second result (https://central.github.com/deployments/desktop/desktop/latest/win32) is because you are checking the website and not the file. Take a look at the image.

"No engines detected this URL"

Yandex is not even on the list, so obviously that it won't show up as a (false-positive) virus.
Both links give the same file (same hash and same 1/69 result).

[Bitcoin_Arena]

It's most likely a false positive. Just give it time.
It sometimes happens with even trusted official apps like Electrum.

[wwzsocki]

C'mon, only Yandex (??) detected it as a virus. Obvious false-positive...

I know that it can be false positive and wrote about it too but normally such detections are described as a heuristic or the explanation for the virus is not so scary as by this Trojan.DR.Agent.

...Both links give the same file (same hash and same 1/69 result).

Download this file and then try to scan with VirusTotal and you will see the virus threat.

[vv181]

Do people really use Github desktop application? I mean personally, I'm fine with basic git function and in addition with some extra add-ons on my text editor to analyze and make it easier to use GIT within the text editor.

After all, It must be a false-positive since its a popular open source software, If something strange and vuln exists within the code, the community would be already complaining. Note that I don't mean to generalize all open source software must be free from malware/virus.

[TryNinja]

I know that it can be false positive and wrote about it too but normally such detections are described as a heuristic or the explanation for the virus is not so scary as by this Trojan.DR.Agent.

This doesn't make this less of a false-positive.

Download this file and then try to scan with VirusTotal and you will see the virus threat.

I did... That's why I said they have the same hash and the 1/69 VirusTotal result.

[mk4]

C'mon, only Yandex (??) detected it as a virus. Obvious false-positive.

I didn't know Yandex, an email client as far as I know, even has a threat detector. LOL. I probably wouldn't trust it for this specific purpose, but it's understandable why OP's paranoid; and it's better to be paranoid than to not care at all anyway.

Anyway, OP, GitHub is a widely widely used service worldwide, and if there was an actual threat problem with it, the news will immediately spread like wildfire. Safe to say that this "detection" is a fluke. Good job on making sure nonetheless.

[wwzsocki]

...I did... That's why I said they have the same hash and the 1/69 VirusTotal result.

Oh yes now is clear, I missed "the same hash" statement from your last answer.


I made a scan one more time today and the results are still this same but I there are 22 positive ratings added from the time I started this thread.

Community score is 22+ now, which indicates this threat as false positive (of course) but I still think that wasn't a mistake to share and discuss my findings with the community.

...it's understandable why OP's paranoid; and it's better to be paranoid than to not care at all anyway...

[Ucy]

Is that official Github Desktop application?  I thought Github only have 64bit desktop application while yours is 32bit.
You probably got the 32bit from another source which is explains the virus?

[TryNinja]

Is that official Github Desktop application?  I thought Github only have 64bit desktop application while yours is 32bit.

Who said this is for 32 bit?

You probably got the 32bit from another source which is explains the virus?

Did you see the link on the OP? How would that be a virus?

Actually, did you even read the thread? I already explained that this is a false-positive.