Concern Regarding Potential False Positives for Friction 2D v0.9.5 and v0.9.6 RC1 on VirusTotal

[hugogonzalezcastro]

Hello Friction 2D Developer,

I hope this message finds you well. First and foremost, I want to express my appreciation for the hard work and dedication you have put into developing Friction 2D. It is a fantastic tool for motion graphics, and I have enjoyed using it.

However, I recently encountered a concerning issue that I believe warrants your attention. After downloading the latest versions (0.9.5 and 0.9.6 RC1) of Friction 2D, I decided to check the binaries on VirusTotal.com. Unfortunately, several antivirus engines flagged these versions as potentially malicious. This is particularly troubling as the previous version (0.9.4) was entirely clean on VirusTotal.

While I understand that false positives are not uncommon, the sudden appearance of these alerts raises some questions. It could potentially undermine user trust and deter new users from adopting the software. Therefore, I would like to kindly request that the development team investigate this matter further. Here are a few suggestions that might help:

• Review the Codebase and Dependencies: Ensure that no malicious code or compromised third-party libraries have inadvertently been included in the newer versions.
• Contact Antivirus Vendors: If the issue is indeed a false positive, reaching out to the antivirus vendors to report this and provide them with the necessary information could help in getting these alerts removed.
• Communicate with VirusTotal: Providing VirusTotal with information about the software and the suspected false positives might aid in resolving this issue.

Addressing this promptly would greatly help in maintaining user trust and ensuring that Friction 2D continues to be a reliable tool for everyone.

Thank you for your attention to this matter. I look forward to your response and hope for a swift resolution.

Best regards,

Hugo

[rodlie]

Hi

I recently encountered a concerning issue that I believe warrants your attention. After downloading the latest versions (0.9.5 and 0.9.6 RC1) of Friction 2D, I decided to check the binaries on VirusTotal.com. Unfortunately, several antivirus engines flagged these versions as potentially malicious. This is particularly troubling as the previous version (0.9.4) was entirely clean on VirusTotal.

More info would be great. Why do they flag the binaries? and what binaries? The installer/7z? exe, dll?

This is not unusual, most OSS projects I have will at some point be flagged by some random site. Usually this happens due to unsigned binaries or that the files are "new" and need to "earn" trust, as in a certain install base is needed before the file is "safe".

EDIT: The reason 0.9.4 is "safe" is because it's available through winget (Windows Package Manager), for some reason 0.9.5 was never added to winget, I will make sure 0.9.6 is added to winget when released (no point in adding 0.9.5 now).

Review the Codebase and Dependencies: Ensure that no malicious code or compromised third-party libraries have inadvertently been included in the newer versions.

I personally build every dll and exe included with the installer/portable. Third-party source code is downloaded from upstream and verified.

Addressing this promptly would greatly help in maintaining user trust and ensuring that Friction 2D continues to be a reliable tool for everyone.

What is trust?

• I maintain the source code (every commit is signed with my PGP key)
• I'm the only person with write access to the repositories
• I provide and maintain the hardware used to build everything
• I build and maintain the SDK needed to create binaries
• I build and maintain the binary releases
• I provide checksums signed with my PGP key for all binaries

So, it's basically a matter of do you trust me (a random guy on the internet) or not :)

[hugogonzalezcastro]

Thank you very much for your quick answer, it is very appreciated!

More info would be great. Why do they flag the binaries? and what binaries? The installer/7z? exe, dll?

I downloaded the installer for Windows from: https://github.com/friction2d/friction/releases/download/v0.9.5/friction-0.9.5-setup-win64.exe
and scanned it at: https://www.virustotal.com/
This is a great site to scan with a huge number of antiviruses at the same time.
It is a site from Google now: https://en.wikipedia.org/wiki/VirusTotal

Several weeks ago I got 3 positives. I rescanned the file for several days to make sure the issue was still there. A few hours ago, I got just one positive. Just now, I rescanned again the file, and now the report is completely clean! It seems they have updated the antivirus DB, so it is really good news! They don't keep previous reports for the same file, but now their report looks completely clean:

https://www.virustotal.com/gui/file/e555883f2d035d75431bca895e942e4700065eb881bfa4ed56fcc99dd547e299

I don't know if you contacted them or finally added the file to Winget, but the issue has definitely been fixed! I wouldn't have written this post if the issue were not there for weeks, so something has definitely changed on the VirusTotal side, as your file is the same and now their reports doesn't flag it!

I personally always scan any file I download at this site and usually works really well... I really think fixing this kind of issue really helps. If you want to check if any antivirus gives you a false positive in future releases, this is a great site to try.

Also, I have not seen a "Donation" option on your site, to support your project... I think some people would support you if you give the option. I have a very humble budget, but would be glad to contribute. Thank you very much for your support!

[rodlie]

I don't know if you contacted them or finally added the file to Winget, but the issue has definitely been fixed!

Great, I have not done anything :)

Also, I have not seen a "Donation" option on your site, to support your project... I think some people would support you if you give the option.

This may be an option in the future.

I have a very humble budget, but would be glad to contribute. Thank you very much for your support!

If Friction helps or inspire someone to create art I'm happy :)

[hugogonzalezcastro]

Thank you very much for your quick support!