Antivirus Bitdefender identifies PhotoStructure as a Malware

Thanks for reporting.

I’ve had several beta users have reported issues with PhotoStructure on Windows when using third-party antivirus/antimalware packages.

Due to these false-positives, and the fact that these software packages have a history of security issues themselves, PhotoStructure on Windows is only supported when used with Microsoft Defender Antivirus.

Microsoft Defender Antivirus is the free and built-in antivirus for Windows 10 that was previously called Windows Defender.

I recommend all my Windows users get in the habit of using https://www.virustotal.com to scan any download. VirusTotal isn’t software you install: it’s a website that you drag the downloaded app onto, and it scans the app with some 50-odd virus scanners for free.

Here are the VirusTotal scans of the .7z installer package for v0.9.1 (one for the file, one for the URI):

https://www.virustotal.com/gui/file/79a48fc1f502b39262870a0b2b7a2e522a9558adc8f24361c51f2e6c411129b2/detection

https://www.virustotal.com/gui/url/5cd6976e22b9b61db9b3ef719bb052b0341c52cc6adc286ccb1526897151559f/detection

And for v1.0.0-alpha.7

https://www.virustotal.com/gui/file/7b8ccc38d6946ab46ad684149dfed3781421f3915169aa2525db606cb84ed904/detection

https://www.virustotal.com/gui/url/86532ec0e6c0da56d3582ee185b5781d0c93c4cd3105896ca872984ea0139110/detection

Someone else just reported this, and I figured I could give a bit more background on how I ensure PhotoStructure’s builds are as secure/free from malware as I can make them:

  1. I always update all of PhotoStructure’s dependencies and then run security audits (using snyk) to those dependencies right before a release. Electronegativity audits run against the desktop build, as well.

  2. The final windows distribution builds are done on computers that are, for the most part, off, and run full offline antivirus scans before builds.

  3. All binaries are signed with extended-verification code signatures.

  4. All code commits are GPG-signed, periodically re-verified, and pushed to multiple remote repos, to detect tampering on either repo.

  5. All git and related logins are protected via hardware tokens where possible, or 2FA.

  6. The windows installer now contains the full installer (version 0.9.1 and earlier used the “Web installer” feature of NSIS, which meant the installer was very small, and when run, downloaded the installable archive in the background). This means you can run virustotal on the installer and be assured you’re scanning the whole payload.

As always, if you see anything suspicious, better safe than sorry: please tell me and we can look at it together, but always have at least one backup, and preferably have at least one offline or offsite:

Another update: I just submitted the beta.3 windows build to virustotal, and (thankfully) all green:

https://www.virustotal.com/gui/file/2339dc191e4fbbf26974b192bd3b7c87a6b1511919fb5413569bb66d6162bfaa/detection

1 Like