Antivirus Detections for MPF.Check.exe in x86 v3.3.0 – Possible False Positive? #796

New Issue

claunia · 2026-01-29T16:22:25Z

claunia commented

2026-01-29 16:22:25 +00:00

Originally created by @edgarbeck on GitHub (Jan 25, 2025).

Originally assigned to: @mnadareski on GitHub.

Description:
I downloaded MPF.Check.exe from the official GitHub release v3.3.0 and scanned it with VirusTotal. Several antivirus vendors flagged the file as malicious (e.g., Trojan or Stealer).

Could this be a false positive caused by the behavior of the executable? I’d appreciate clarification or guidance.

Details:

URL: Download URL
VirusTotal Report: Link to the report
Antivirus Flags:
- Avast: Win32:Malware-gen
- Kaspersky: HEUR:Trojan-Spy.Win32.Stealer.gen
- Others listed in VirusTotal report.

Steps to Reproduce:

Download MPF.Check.exe or MPF.Check_3.3.0_net9.0_win-x86_release.zip from release v3.3.0 (link).
Scan the file using VirusTotal.

Request:
Can you confirm if this is a false positive or provide insight into why these detections might occur?

Thank you for your time and all the work you put into MPF!

Originally created by @edgarbeck on GitHub (Jan 25, 2025). Originally assigned to: @mnadareski on GitHub. **Description:** I downloaded `MPF.Check.exe` from the official GitHub release [v3.3.0](https://github.com/SabreTools/MPF/releases/tag/3.3.0) and scanned it with VirusTotal. Several antivirus vendors flagged the file as malicious (e.g., Trojan or Stealer). Could this be a false positive caused by the behavior of the executable? I’d appreciate clarification or guidance. --- **Details:** 1. **URL**: [Download URL](https://github.com/SabreTools/MPF/releases/download/3.3.0/MPF.Check_3.3.0_net9.0_win-x86_release.zip) 2. **VirusTotal Report**: [Link to the report](https://www.virustotal.com/gui/file/4fc0b87e7c90fbec914ccbd583cd1b6aede1a1855e4074304bc47574bdc26b4c) 3. **Antivirus Flags**: - Avast: `Win32:Malware-gen` - Kaspersky: `HEUR:Trojan-Spy.Win32.Stealer.gen` - Others listed in VirusTotal report. --- **Steps to Reproduce:** 1. Download `MPF.Check.exe` or `MPF.Check_3.3.0_net9.0_win-x86_release.zip` from release v3.3.0 ([link](https://github.com/SabreTools/MPF/releases/download/3.3.0/MPF.Check_3.3.0_net9.0_win-x86_release.zip)). 2. Scan the file using VirusTotal. --- **Request:** Can you confirm if this is a false positive or provide insight into why these detections might occur? Thank you for your time and all the work you put into MPF!

claunia added the bug label 2026-01-29 16:22:25 +00:00

claunia closed this issue

2026-01-29 16:22:26 +00:00

claunia commented

2026-01-29 16:22:26 +00:00

@mnadareski commented on GitHub (Jan 26, 2025):

This is a false positive. Reasons it may have been falsely detected include:

Making calls to retrieve information from Redump if signed in (network calls)
The mention of "password" with regards to the above
Direct optical disc access in limited situations

All code is open and can be verified with the included publish script.

@mnadareski commented on GitHub (Jan 26, 2025): This is a false positive. Reasons it may have been falsely detected include: - Making calls to retrieve information from Redump if signed in (network calls) - The mention of "password" with regards to the above - Direct optical disc access in limited situations All code is open and can be verified with the included publish script.

claunia referenced this issue

2026-01-29 16:25:51 +00:00

[PR #797] Parse redumper BIG.DAT info #1177

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: SabreTools/MPF#796