Laragon 7.0.3 executable detected as Trojan:Win32/Phonzy.A!ml ( severe threat )

[James-Machouk]

Windows Security is detecting Laragon version 7.0.3 as a severe threat.

Trojan:Win32/Phonzy.A!ml

[alxndr-w]

related to #101 #858 #734 #486 #1000

[Sophist-UK]

I have prior experience with these sorts of issues.

The cause is pretty often due to using the same installer to package Laragon as some malware users use to package their malware - and the AV then detects the installer signature and flags Laragon as malware (by association). Some installers have a seed you can change to vary the signature.

Such detections are made much more likely by a lack of a code signing signature to uniquely prove the source of the installer and / or executable. As a free tool written by a hobbyist, purchase and use of an expensive code signing certificate was understandably unlikely, but as chargeable software purchase and use of such a certificate is essential if you are going to be taken seriously - even though it will only reduce and not eliminate these sorts of false positives.

There really also needs to be additional testing of new versions of the installer / executable before public release to ensure that the major AV platforms are NOT going to flag it as malware.

[frahmed99]

I also got the trojan. after bypassing ms defender on the test machine it asked me for a license. also when i opened the application i got this.

[MackSix]

I also got the trojan. after bypassing ms defender on the test machine it asked me for a license. also when i opened the application i got this.

What is wrong with that screenshot? It looks normal to me.

[MackSix]

Only 3 detectors out of 70 detectors on totalvirus. https://www.virustotal.com/gui/file/5ff52ee1e02ebb0ed3d85597a90e9d00442bb5c7b518a979dffe69dbc9dce04a

The laragon.exe is 1 out 74 detectors.
https://www.virustotal.com/gui/file/84443b44404422c0e75b44ae803ccf92d2ba4c66d44efe320cff3bf2e213c901

I have never heard of the ones that are flagging it. It is not unusual for some of these obscure brands to have false positives.

It is safe.

[Sophist-UK]

Personally I have absolutely no doubt that Laragon is safe - but others may take a virus warning at face value and immediately walk away.

Windows Security is hardly "an obscure brand" - it is probably the single most used Windows AV "product" by several orders of magnitude.

I know of 2 or 3 open-source projects who spend a lot of effort avoiding false positives, and avoiding them from major AV products is an essential aspect of publishing any end-user software.

Code signing is a major way of avoiding false positives, so this is yet another thing that @leokhoa needs to implement as a matter of urgency if he wants to be successful.

[leokhoa]

@James-Machouk : I have released Laragon 7.0.4 with some bug fixes and updated the Installer to the latest version.
Can you confirm if it work?

[leokhoa]

I will proceed with Code Signing. It may make the release more complex, but it's worth it.

[Sophist-UK]

Good decision!!

[frahmed99]

I also got the trojan. after bypassing ms defender on the test machine it asked me for a license. also when i opened the application i got this.

What is wrong with that screenshot? It looks normal to me.

The unlicensed tag on the top right.

[James-Machouk]

@James-Machouk : I have released Laragon 7.0.4 with some bug fixes and updated the Installer to the latest version. Can you confirm if it work?

Yes, everything is OK. Thank you, @leokhoa.

I will proceed with Code Signing. It may make the release more complex, but it's worth it.

Signing the code is a good decision, as @Sophist-UK said.

[leokhoa]

Perfecto! thanks for your update @James-Machouk