New version gpg4win-2.2.3.exe intercepted as having malware

Comodo antivirus product assessed “gpg4win-2.2.3.exe” as being infected with the trojan “TrojWare.Win32.Kryptik.AGMN@284730160”, and listed the file “kgpgconf.exe” as the culprit. I extracted that file and scanned it individually and Comodo thought that one not infected. I tried to submit the “gpg4win-2.2.3.exe” file to Comodo as a false-positive (assuming it is), but the file size exceeds the submittable threshold. The file signature looks okay, except for that part of the certificate under the “subject” heading includes the line
“E = codesigning@intevation.de
which is not in the list on the program’s check integrity page. Thoughts?

Addendum – I went to Comodo’s website and submitted the file “kgpgconf.exe” as a potential false positive with a summary of where it came from. It may be that Comodo’s name for the purported trojan (above) is an alias of “Trojan.Vicenor”.

There is a link there to sign up as a trusted vendor (https://www.comodo.com/home/internet-security/trustedvendor/signup.php) if that’s helpful, (and no I don’t work for them.)

Any thoughts?

Thanks for submitting the binaries to Comodo as a False Positive that was exactly the right thing to do.

Those overzealous false positives are becoming quite common with each new release until the Vendors update their signatures.
And while I understand that it is unsettling and annoying for our users if Gpg4win triggers AV alarms. It’s ultimately the Problem of the Anti Virus Vendors.

With regards to the Trusted vendor exception:
In my opinion they either don’t trust (or have given up on) their Algorithms to only detect malware so they are allowing “Trusted” vendors to bypass it. I really did not know that you can get an “exception” from their Scanner. Together with their advertisements for “Buy a code-signing certificate from us” this smells really fishy.
If I wanted to bypass Comodo AV with Malware becoming a trusted vendor would probably be the first thing that I would do. :wink:

Well anyway, from looking at this it would mean that we would have to sign all our binaries with our Codesigning certificate. This is something that we might want to do in the future but for now this is not easily done in our build process. But we’ll keep it in mind.

Thanks for looking into the issue. Indeed, one often wonders about those ‘trusted vendor’ things as the path of least resistance for badware. Nonetheless, perhaps there is an avenue to submit new releases to the AV vendors to head them off at the pass so that users don’t have to be the vanguard in those battles.

Happy Holidays & best wishes