Hi, so I started using portable apps recently. I deemed this website safe and assumed the code+files had been scanned in order to earn the right to be displayed here. This was until I noticed the manual Antivirus scan on the individual app page. I scanned the apps I was using and most of them were laced with something, so I just deleted everything. I think it is a pity, portable apps has a lot of potential and I considered this website my main repository. Are developers or admins doing anything to combat this?
ClamWin has a Trojan/Win32.NetWiredRC.R263581
IrfanView has a Trojan.Malware.74773669.susgen
Openshot has a VIRUS_UNKNOWN
PeaZip has a Trojan.Shelma!
Rufus has a GrayWare/Win32.Generic
The PortableApps platform is listed with a 100/100 threat score on https://www.hybrid-analysis.com/sample/f542a53605d0ea3ed555141cbb52f47d3...
And that's just from clicking randomly and using the built-in Antivirus scan.
Maybe a few of these are "false positives", there needs to be a way to tell. I am a big fan of the idea behind this website, that everyone can keep everything they need in a USB. But right now, people's safety and integrity are put at risk.
Visit the Community page
Join our forums
Subscribe to our email newsletter
Subscribe with RSS
Follow us on Facebook
Follow us on LinkedIn
Follow us on Twitter
Follow us on Mastodon
Follow us on BlueSky
The results on VirusTotal need to be read correctly - a small handful of lesser known virus engines saying something is there is just a false positive. One of the bigger engines detecting a generic something is also a false positive.
Users only need to worry if a few of the larger engines detect the same/similar thing, that would indicate the probable presence of a virus.
Any app released officially is vetted by us - if we were really trying to infect people with something, we wouldn't post the links to the VirusTotal results on the app pages!
As for the Platform's results on Hybrid Analysis, again it is down to how you read the results. It is using the single false positive from a lesser known engine as a detection - it seems to give no weight to the trust or dependability that some engines have over others.
Also the results listed under the risk assessment are all just looking at what the code can potentially do, it does not consider the functionality actually needed by the program and what access it needs to perform those functions.
I would bet that many other large, trusted, and safe programs would also be labelled as bad by this risk detection method, considering it calls the official Python executable as suspicious: https://www.hybrid-analysis.com/sample/1856f8bd2dfb1bbd1c0c7acca60d274ad...
I was wondering why it leaves fingerprints on:
Queries sensitive IE security settings (why?)
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache, else it'd be useless for such app)
Reads the cryptographic machine GUID (ok for the machine name, like python does, but why this?)
Contacts 2 domains and 1 host. Why?
2 domains: the registrar ocsp.sectigo.com and portableapps.com
1 host on IP 104.239.166.87, on port 80 (usually used for http requests)
In short, it looks like the app transfers encrypted GUID and/or whatnot else to portableapps (for tying users physical machines - thus location - with the use of this app); and/or sets/reads internet security parameters that's none of its business etc. Can you please show that I'm misconceiving all this, and/or what you are doing with that data (I'd be glad to be wrong, I luv your work on this app)? Thanks!
The updater/app store uses the Windows Internet Components, the same components used by IE and other local Windows apps. We query the settings to ensure that functionality-breaking settings are not set. Specifically WarnonZoneCrossing and SecureProtocols. Setting either of those basically breaks everything for most every site and app. If they are set, we temporarily set them correctly (to the defaults) while working and then set them back. We also will set them to accept the proper versions of TLS (the newer ones) temporarily and then back if necessary. This is more of a Vista thing as I can't see someone on 7 or later manually disabling newer TLS versions... though it has happened.
Sectigo is queried by Windows to ensure the digital signature are correct. We don't do anything with it manually.
The entire code is free for you to examine, as always: https://sourceforge.net/projects/portableapps/files/Source/PortableApps....
Sometimes, the impossible can become possible, if you're awesome!