This kind of analysis is basically an extension of "malware X likes ice cream, therefore anyone who likes ice cream is malware X".
(In fact this can be said for most malware analyses, considering the amount of false positives they tend to generate for, not just XY, but all kinds of safe programs.)
XYplorer uses some system calls and other functionality to do some stuff that is often used by certain types of malware, so the analysis lumps XY into the malware category without further consideration, completely ignoring the fact that the same actions are completely valid for a file manager.
the majority of that site's "Suspiciousness indicators" result from this.
For example, XY has to use many api calls that read, search, touch or modify all kinds of files; par for the course as a file manager. Now, the same calls are commonly used by malware for finding files to infect. But these two use cases are obviously completely different, and this is no reason to call XY a malware.
Take this assessment for example, "
Spreading: Opens the MountPointManager (often used to detect additional infection locations)" -- often used to detect additional infection locations, yes, but also often used to discover files so that a
file manager can
manage them.
Also, majority of the "Maliciousness indicators" are simply malware detection reports by external antivirus software. All of these are simply false flags. AV update fixes these within hours, but a detection report already made before the update doesn't update to reflect the update (
), unfortunately.
Especially, marking "Contains native function calls" as an unusual characteristic is just absurd. Practically nothing can work without native functions. Common programming libraries simply abstract away the need to use such functions directly, but Don has to use many native functions because their equivalent doesn't exist in classic Visual Basic.
The only suspicious information is the invalid signing certificate, but I think this is because the version sent for analysis was a beta release, or an old version. Stable releases of XYplorer are always signed with a correct certificate, but Don skips this for beta releases, because the signing process is probably cumbersome and/or costly.
By the way, most of the 15 points are not bad, but only suspicious. Suspicion alone doesn't convict.
----
And also,
here's the report for the latest stable 20.20.0000. It's down to merely suspicious status, so, good for them.
