1 security vendor and 1 sandbox flagged this file as malicious

[DJStompZone]

I'm sure it's probably nothing, but this got flagged in VirusTotal so I checked it out a little closer. And, well, it kinda seems like it's got an awful lot of traffic going on for an NBT reader, doesn't it?

Like I said, it's probably nothing, just figured I should bring it up just in case
Original detection:
https://www.virustotal.com/gui/file/24c01d16a595df7aab36d0dc0161e589454aefbaa3f49cfff761da709e27ad17
Graph:
https://www.virustotal.com/graph/embed/g75fbaa5b17ef4ac1ac872b614c256c7c55cdcfc01b034ee589b7cf786624ae53

[tryashtar]

I have no idea what any of this means

[DJStompZone]

That must be what VirusTotal is freaking out over then. It runs it in a sandbox and sees the outbound connection as malicious because it's not under user control. I like having the ability to check for updates, and I see that there's a check for updates button. So maybe we could make that check something that is exclusively user initiated, rather than an automatic check? I think that would at the very least cause VirusTotal to stop flagging it as malicious

[tryashtar]

I'll pick user convenience over placating a false positive virus website result every time ;)

[DJStompZone]

Good, then we're in agreement! The false positive caused by having the auto-update check propagates to Microsoft smartscreen and many other security vendors, which is why, for instance, the user is currently required to navigate not one but four "scary" warning messages/dialogs in order to download and run this application.
My proposed solution to disable the auto-check and instead wait for user initiation would not only mitigate this issue, but would improve user privacy. It may even prove to be the case that it adds a minute benefit to startup times.

As for the concern of convenience regarding updates, what if instead of a blind, in-the-background update check, there was a dialog box that pops up if it's been, idk, a week since the last check for updates. Something light and friendly to say "Hey, you want some new features and bug fixes?", while still leaving the end user in control of when/if to perform the check.

Would something like that be acceptable?

[tryashtar]

Oh, is that why these pop up? :/


If making auto-updates opt-in will get rid of these, then yeah I'll do it

[AmethystNightshade]

those pop ups are the standard "you have not paid us a ton of money to sign your program" as shown by it saying "could not verify", "Unknown Publisher" and " and "an unrecognized app"

[QuinStudios]

I'm actually mildly concerned because I've been noticing this slow down my computer WAY more than it should when it's running. Now, that could be really poorly optimized code, but it could also be something malicious, doing a ton of background stuff. I don't think it is, and I'm still using it rn, but it's still somewhat concerning.

Also, the fact that it's literally just an exe, without the normal files or installation that a program like this would have, makes it feel pretty sketchy

[WeatherWonders]

I've seen standalone executables for other small programs like Rufus, Jarfix, and yt-dlp. It can be more convenient than having an installer.

[AmethystNightshade]

The only reason to have an installer is if the program is more than an executable or needs some form of customization during install. most installers i deal with just want you to agree to their terms and to know where you want the files stored. so if anything an installer should be more sketchy than an standalone exe (not that they are though). also if you had the know how, all the code used seems to be inspectable, so you could look through it or compile it yourself.

[WeatherWonders]

I submitted NbtStudio.exe to Microsoft for analysis and soon got a response:

The warning you experienced indicates that submitted file(s) did not have dedicated determination in our system. We can confirm that the files submitted are now determined as clean and attempting to download or run the application should no longer show any warnings.

[AmethystNightshade]

TLDR: I was curious based on the large graph (#42 (comment)), but it turns that in a really roundabout way, microsoft has discovered how to block microsoft.

based on my understanding looking at the virus total and others, the sandbox that they are running nbt-studio in do not have dotnet core installed. all the network requests are stemming form nbt-studio opening up the default browser to the Microsoft download for the requisite dotnet installer and hence loading all the javascript and other resources on that page causing a bunch of domain and network requests.

on top of that, every other alert is either due to the sandbox being so outdated that it does not work with Microsoft websites or the microsoft dotnet installer doing its job (as in editing system files, collecting telemetry to feed to microsoft and other stuff that is deemed malicious only because it is being attributed to a non-microsoft program).

this all leads me to conclude that if in fact microsoft did block this file... they are effectivly blocking it because it is opening a browser for a user to download and run a microsoft installer. so in a really roundabout way, microsoft has discovered how to block microsoft.