BlockTheSpot compromised or false positive?
BlockTheSpot compromised or false positive?
https://github.com/mrpond/BlockTheSpot/issues
=> More informations about this toot | More toots from DoctorButts@kbin.melroy.org
did you want to link #573 ? you only linked the issues list
=> More informations about this toot | More toots from ReversalHatchery@beehaw.org
They could be away and not checking on things until they get back.
Or potentially their github account was taken over somehow.
=> More informations about this toot | More toots from MangoPenguin@lemmy.blahaj.zone
Looks like the previous version only had two positive hits on VirusTotal, according to comments, whereas this newest version has 29.
Some said the previous version is still available. I don’t really have skin in the game, so nobody should take my advice without doing your due diligence.
=> More informations about this toot | More toots from Telorand@reddthat.com
Seems strange that the dev seems to be keeping quiet on this, no?
It’s only been a few hours since the issue (I assume you’re referring to) was opened. The developer could be in a different time zone or on a vacation and not respond for a few weeks. People are not entitled to a (quick) response.
Though I haven’t followed this project long enough to tell if this is just the way they normally behave.
Looks completely normal to me. The tool works by pretending to be some DLL loaded by Spotify, providing the same functionality as the original file, but also modifying Spotify’s behavior to block ads. It’s easy to see why anti virus software would flag a modified DLL, modifying a program’s behavior as suspicious, especially if the same DLL has previously been used by some malware to inject malicious code.
=> More informations about this toot | More toots from lol@discuss.tchncs.de
Seems strange that the dev seems to be keeping quiet on this, no?
the issue was just posted 7 hours ago. maybe they just haven’t seen it yet.
someone in issue #573 asked if the dpapi file is really needed, and by looking at the manual installation instructions, yes, because that contains all the code.
the developer loads custom code into the spotify process by using such an “override” dll file. it works because spotify is voluntarily loading a dll with this name, and if there’s such a file in the directory besides the .exe file, it’ll take precedence over the original file installed in the system.
the trojan warning is probably triggered because this technique is often used by malware to change the behaviour of your programs, but as with most technologies, it has good uses too
=> More informations about this toot | More toots from ReversalHatchery@beehaw.org
the issue was just posted 7 hours ago. maybe they just haven't seen it yet.
There are multiple posts going back 5 days of people asking about it. Check closed issues too, the dev even responded to some of them by saying it's only a false positive.
=> More informations about this toot | More toots from DoctorButts@kbin.melroy.org
the dev even responded to some of them by saying it’s only a false positive.
What else are you expecting them to do then if they already answered? Write an essay on DLL injection and walk everyone through the code line by line to convince them it’s not malicious?
In the end you either have to verify the code yourself or you have to trust them when they say it’s a false positive.
=> More informations about this toot | More toots from lol@discuss.tchncs.de
Not the whole code but only the part that triggers those flags. Not everyone is versed in C to “verify the code” himself… That’s a stupid take, It’s like saying to a toddler to change his diapers on his own if it’s dirty.
Strangely enough It went from 1 trigger to 29 triggers after 1 update? Seems rather sketchy :/ In the past (pirated games/software) I would have ignored the warnings and add an exception into my windows firewall… But today with all the crypto schemes and obfuscated code, I won’t go near anything like that.
=> More informations about this toot | More toots from N0x0n@lemmy.ml
Not the whole code but only the part that triggers those flags. Not everyone is versed in C to “verify the code” himself…
You don’t say. And the developer pointing to some piece of code and telling those people who cannot understand it themselves that it’s not malicious achieves anything?
If it’s a false positive there isn’t even anything to show in the first place. Nobody but the antivirus vendors know for sure why something triggers a false positive.
That’s a stupid take, It’s like saying to a toddler to change his diapers on his own when it’s dirty.
It’s like a toddler telling you you’re changing their diapers wrong and expecting you to explain to them what you did wrong even though you did everything correctly and the toddler doesn’t know anything about changing diapers in the first place.
=> More informations about this toot | More toots from lol@discuss.tchncs.de
I guess it’s all a question of point of view and reference point. 💁 I can’t argue against your opinion on the other side.
I do agree though that from this point of view it also make sense.
=> More informations about this toot | More toots from N0x0n@lemmy.ml
I wouldn't download / update until this gets resolved. Or maybe look for alternatives.
=> More informations about this toot | More toots from hendrik@palaver.p3x.de
So, the “last update” was built from ac41318, since then there were exactly 2 commits:
Both do not immediately look malicious. So, either the release is poisoned (in which case you can build it from source and see if still detected), or the repo was poisoned before, and the payload didn’t activate until those changes, or AVs decided to crackdown on random shit running their code in other law-abiding processes’ address space 🤣
=> More informations about this toot | More toots from fl42v@lemmy.ml
It’s a dll injection. Of course it gets flagged as a virus, because technically it is. That doesn’t mean that it is malicious.
Here is an example… On paper, reshade is a horrifically dangerous piece of software. It doesn’t get flagged only because it is well known and virus scanners have an exception for it.
Any of these geniuses stopped to think that Spotify changing its code and altering the way that it interacts with the dll could result in more “detections”?
=> More informations about this toot | More toots from Scary_le_Poo@beehaw.org
Seems strange that the dev seems to be keeping quiet on this, no?
Which one? The repo owner certainly doesn’t seem very active in general.
=> More informations about this toot | More toots from Kissaki@lemmy.dbzer0.com This content has been proxied by September (ba2dc).Proxy Information
text/gemini