Trojaner Win32/Bearfoos.B!ml detected

[uChoh5fe]

Hi, in the latest release (ChanSort_2023-12-18.zip) Defender seems to found a trojaner... can you please check

Anyway, thanks for this nice helpful piece of software :-)

[PredatH0r]

This must be a false positive.

I updated Win 11 to security definition version 1.403.1363.0, downloaded the .zip file from github, extracted it with Windows 11 Explorer, right-clicked the folder and checked it with Windows Defender. No threats found.
Then I repeated the same process on a Win10 VM, a Win11 VM and my notebook with Win11. Same result.
To be 100% sure I also ran an offline scan on my notbook, booting directly into Windows Defender.

Running VirusTotal against the .zip download URL on github, I get these results:
https://www.virustotal.com/gui/url/80dc1d0d6f1e44b734dd2aa38a394b944b1211b71679c8f50513e692a253983a
ArcSight Threat Intelligence reports it as "Suspicious", but 0 engines as "Malicious"

Uploading my original .zip directly to VirusTotal, I get this:
https://www.virustotal.com/gui/file/27152a867e0d3fca3bd6c6936a7211a67fca62a056bb9ebedc5f0e16087bb5dc
No detections.

And ChanSort.exe on its own:
https://www.virustotal.com/gui/file/26171b586c5fc58686d6c098dc741a4b174b7af6c9dd99f97c295bb9163321d0
No detections.

I can only GUESS why ArcSight might find something suspicious.
ChanSort.exe dynamically loads all "ChanSort.Loader.*.dll" files that it finds in its local directory, without having static references inside the .exe to those .dll files. ChanSort uses this approach so that developers can compile custom Loader DLLs and drop them in the ChanSort directory without compiling the whole source code, which would require a quite expensive license for the Developer Express WinForms UI controls.
Malware might uses a similar approach to run arbitrary malicious code that it downloads.

At the time I was testing ChanSort 2023-12-18 for release, Windows Defender inside a test VM deleted ChanSort.exe with a false-positive of "Behavior:Win32/DefenseEvasion.A!ml". I reported this incident to Microsoft as I am certain it was a false-positive.
I assume this happened because I deleted + copied the directory several times on my development PC while I had an Explorer in the VM open to start ChanSort from a network share folder. None of my other PCs/VMs detected any threats in the same network folder.

[PredatH0r]

Did you download ChanSort_2023-12-18.zip from github or some other download site?
I only upload to github (and occationally some pre-releases to my chansort.com server).

I have no control over other websites which might offer modified / infected files for download.

[uChoh5fe]

Hi, yes I downloaded the zip from github, have tested again with a fresh download and now it seems to be clean. Maybe it was an old definition file from Defender?! Sorry for the trouble, next time I will also test with virustotal.

Happy new year and thanks for your fast response.