I've been using XYPlorer for about 10 years. I'm trying to help a colleague who would benefit from using it. His corporate IT says XYPlorer is too much of a risk, based on this web site:
https://www.reverse.it/sample/1d4499d69 ... mentId=120
The web site lists about 15 things that are bad about XYPlorer, and since I have zero experience in computer security, I understand none of them. The attached .png file shows a summary.
Any suggestions on how to respond?
thanks for your time,
John
Corporate IT says XYPlorer is malware, how to respond?
Corporate IT says XYPlorer is malware, how to respond?
- Attachments
-
- XYplorer stuff.png (35.71 KiB) Viewed 1740 times
Re: Corporate IT says XYPlorer is malware, how to respond?
This kind of analysis is basically an extension of "malware X likes ice cream, therefore anyone who likes ice cream is malware X".
(In fact this can be said for most malware analyses, considering the amount of false positives they tend to generate for, not just XY, but all kinds of safe programs.)
XYplorer uses some system calls and other functionality to do some stuff that is often used by certain types of malware, so the analysis lumps XY into the malware category without further consideration, completely ignoring the fact that the same actions are completely valid for a file manager.
the majority of that site's "Suspiciousness indicators" result from this.
For example, XY has to use many api calls that read, search, touch or modify all kinds of files; par for the course as a file manager. Now, the same calls are commonly used by malware for finding files to infect. But these two use cases are obviously completely different, and this is no reason to call XY a malware.
Take this assessment for example, "Spreading: Opens the MountPointManager (often used to detect additional infection locations)" -- often used to detect additional infection locations, yes, but also often used to discover files so that a file manager can manage them.
Also, majority of the "Maliciousness indicators" are simply malware detection reports by external antivirus software. All of these are simply false flags. AV update fixes these within hours, but a detection report already made before the update doesn't update to reflect the update ( ), unfortunately.
Especially, marking "Contains native function calls" as an unusual characteristic is just absurd. Practically nothing can work without native functions. Common programming libraries simply abstract away the need to use such functions directly, but Don has to use many native functions because their equivalent doesn't exist in classic Visual Basic.
The only suspicious information is the invalid signing certificate, but I think this is because the version sent for analysis was a beta release, or an old version. Stable releases of XYplorer are always signed with a correct certificate, but Don skips this for beta releases, because the signing process is probably cumbersome and/or costly.
By the way, most of the 15 points are not bad, but only suspicious. Suspicion alone doesn't convict.
----
And also, here's the report for the latest stable 20.20.0000. It's down to merely suspicious status, so, good for them.
(In fact this can be said for most malware analyses, considering the amount of false positives they tend to generate for, not just XY, but all kinds of safe programs.)
XYplorer uses some system calls and other functionality to do some stuff that is often used by certain types of malware, so the analysis lumps XY into the malware category without further consideration, completely ignoring the fact that the same actions are completely valid for a file manager.
the majority of that site's "Suspiciousness indicators" result from this.
For example, XY has to use many api calls that read, search, touch or modify all kinds of files; par for the course as a file manager. Now, the same calls are commonly used by malware for finding files to infect. But these two use cases are obviously completely different, and this is no reason to call XY a malware.
Take this assessment for example, "Spreading: Opens the MountPointManager (often used to detect additional infection locations)" -- often used to detect additional infection locations, yes, but also often used to discover files so that a file manager can manage them.
Also, majority of the "Maliciousness indicators" are simply malware detection reports by external antivirus software. All of these are simply false flags. AV update fixes these within hours, but a detection report already made before the update doesn't update to reflect the update ( ), unfortunately.
Especially, marking "Contains native function calls" as an unusual characteristic is just absurd. Practically nothing can work without native functions. Common programming libraries simply abstract away the need to use such functions directly, but Don has to use many native functions because their equivalent doesn't exist in classic Visual Basic.
The only suspicious information is the invalid signing certificate, but I think this is because the version sent for analysis was a beta release, or an old version. Stable releases of XYplorer are always signed with a correct certificate, but Don skips this for beta releases, because the signing process is probably cumbersome and/or costly.
By the way, most of the 15 points are not bad, but only suspicious. Suspicion alone doesn't convict.
----
And also, here's the report for the latest stable 20.20.0000. It's down to merely suspicious status, so, good for them.
Icon Names | Onyx | Undocumented Commands | xypcre
[ this user is asleep ]
[ this user is asleep ]
Re: Corporate IT says XYPlorer is malware, how to respond?
Thank you for the time spent on a detailed response. I hope the metaphor about ice cream will prove more effective with this IT department. It seems a lot of their "research" is just what they find on Google.
Best regards,
John
Best regards,
John
Re: Corporate IT says XYPlorer is malware, how to respond?
If a report on that website means a file is malware, I have some bad news for anyone who has ever used Internet Explorer...
https://www.reverse.it/sample/64ef39fd9 ... 55256eeac3
https://www.reverse.it/sample/64ef39fd9 ... 55256eeac3