Bitdefender Flags Opensource Github Program: Should I be worried?

[Brick1026]

I recently downloaded the windows x64 version of libimobiledevice-winx64 which is a open source toolset for controlling an iOS device through a computer. I'm not going to link the GitHub repository here since doing so would probably violate some forum rules for posting potentially malicious links but if you want to find it google is your friend. Upon downloading it and using it for a basic iOS JIT workaround to run dolphin on iOS 14.4+ which I was successful in doing I went on paying little mind to the program. This was until a preformed a Bitdefender antivirus scan and the program was flagged as a Gen:Variant.Bulz.542714 I deleted the file and rescanned and Bitdefender came up clean. I've been avoiding using windows defender since a current bug that has been reported by other users causes it to always detect a threat then "take action" without any logs. (Windows Defender notification, took action against threat....but there's nothing there? - Windows - Linus Tech Tips)

 

Wanting to investigate further into this odd "virus" I attempted to search the name and could not find any documentation on bulz.542714. Undeterred, I decided to return to the GitHub repository I originally downloaded the file from and attempted to redownload it at this point to determine if the libimobiledevice file that the antivirus claimed was infected had been infected at a later time or was a false positive* in Bitdefender from the time of download. Interestingly, upon clicking the GitHub repository download link the user content download URL for GitHub this time around was blocked. Upon verifying that the download domain was a official GitHub download and not a phishing URL I went to override the Bitdefender domain block and redownloaded the file. Immediately upon downloading the file without even unzipping the file I went and scanned the file with Bitdefender and sure enough the scan flagged the same file from before as Gen:Variant.Bulz.542714. As before I deleted the entire GitHub package and ran a full scan with Bitdefender. This time my PC came up clean. 

 

I come here to try and get a second opinion. What is my next step? Do I ignore this? Should I change all my passwords and assume my accounts are compromised? I don't think this has anything to do with the windows took action against threats bug since that predates me even downloading libimobiledevice-winx64. What do you guys recommend? Thanks in advance!

 

 

*the specific file that Bitdefender claimed to be infected was idevicedebug.exe

[Vishera]

Look at the issues tab in Github,maybe you will find more info there.

[Brick1026]

2 minutes ago, Vishera said:

Look at the issues tab in Github,maybe you will find more info there.

No Dice.

[Sir Asvald]

17 minutes ago, Brick1026 said:

No Dice.

is the software digital signed? does it have code signing certificate? if not, maybe your AV is flagging it because it has no code signing certificate.

[kelvinhall05]

Almost certainly a false positive, I'd open a Github issue but wouldn't worry about it.

[mariushm]

Disable your antivirus, download the zip file, unpack the zip file ,  then open VirusTotal  and upload the executable in the zip file there.

 

It will probably also work if you upload the zip directly

 

VirusTotal will scan the executable with a bunch of antiviruses and you'll see what each antivirus thinks about it.

 

My guess is that it's a false positive causes by the executable using some functions that access the hardware, functions which were probably used by some viruses in the past. Basically the antivirus is too "general" about it, complaining about use of those functions and placing that library in same bucket with viruses

[Mark Kaine]

should have uploaded it to virustotal instead of deleting it.

 

 

Also its probably not a virus because  u already used it and are unaffected. You know how a virus works, right? You cant just "delete" it, thats the whole point of being a virus lol.  

[Mark Kaine]

4 hours ago, Brick1026 said:

No Dice.

???

 

heres the VT, dont even need to dl it…

 

 

i mean i have *no* idea why ur AV flags it, or what u actually dl'd But i hope this helps.

[Brick1026]

18 hours ago, Sir Asvald said:

is the software digital signed? does it have code signing certificate? if not, maybe your AV is flagging it because it has no code signing certificate.

Weirdly enough just clicking the download link throws up a warning. I'd post a SS but I posted this post on reddit and came to the resolution that this is more than likely a false positive.

 

15 hours ago, Mark Kaine said:

should have uploaded it to virustotal instead of deleting it.

 

 

Also its probably not a virus because  u already used it and are unaffected. You know how a virus works, right? You cant just "delete" it, thats the whole point of being a virus lol.  

Na I'm aware but by deleting it I'm able to then run a scan to see if I am infected elsewhere as running a full scan with the file still downloaded will just throw up a message about the original file. I've concluded this is probably a false positive though.

 

14 hours ago, Mark Kaine said:

???

 

heres the VT, dont even need to dl it…

 

 

i mean i have *no* idea why ur AV flags it, or what u actually dl'd But i hope this helps.

This is reassuring. I'm guessing Bitdefender just decided today it felt like flagging a web site and program I'd used for a earlier purpose. Who knows...

[Mark Kaine]

26 minutes ago, Brick1026 said:

This is reassuring. I'm guessing Bitdefender just decided today it felt like flagging a web site and program I'd used for a earlier purpose. Who knows...

No worries, and yeah better safe than sorry, but this kind of stuff is exactly why i use mwb + defender…

i scan *every thing* I dl (except Steam files , which is dumb because  Steam doesnt  do av scans afaik… ) with mwb* and let defender run in background and do what it does, but its too unreliable for active scans, too many false positives. Mwb is better, but windows does the realtime / network stuff, so yeah.

 

*for reference, in the last ~3 years defender found ~5 false positives…  3 of which mwb warned me about "pup" potentially unwanted program, and they sure were - each of them chinese "trainers" which can actually get you in trouble if you use them in the wrong games … (but only theoretically, they dont make these sort of trainers afaik) 

 

plus defender found a mod (a texture file) i made myself lol… (and blocked it lmao)

[LogicalDrm]

-> Moved to Programs, Apps and Websites