False positive?

[Barlow]

I just downloaded the new version of Sigil for Windows (Sigil-2.3.1-Windows-x64-Setup) directly from the official website, before installing it I checked it with VirusTotal and I got a Bkav Pro alert.
Then I downloaded the previous version (Sigil-2.3.0-Windows-x64-Setup) and I didn't get any alert when I checked it. Is it a false positive or a corrupted file?
The VT links are:
Here the alert is shown
Version 2.3.0
Ps. Sorry if this is not the place to ask this question, I am new to everything related to forums .

[DiapDealer]

It's a false positive. If you're concerned, install Sigil using winget (built into Windows) or Chocolatey. They use the official Sigil installers, but they do their own scanning and vetting. Windows lends a lot of trust to programs installed via those methods.

From an admin prompt (install for all users):
winget install -e --id Sigil-Ebook.Sigil --scope machine

Or to install for only the current user (no admin needed):
winget install -e --id Sigil-Ebook.Sigil --scope user

Sigil 2.3.1 has passed winget and Chocolatey's anti-malware scans with no problems.

They both also verify checksums before installing to make sure packages have not been altered since they were uploaded.

NOTE: not sure why Bkav Pro changed their mind from when Chocolatey tested v2.3.1
https://www.virustotal.com/gui/file/...b32-1725813282

To be thorough... the Sigil-2.3.1-Windows-x64-Setup.exe binary on Github (where the sigil-ebook.com website's download buttons point to) is the same binary that I uploaded on Sep 6. I always save a local sha256 checksum just in case both the binary asset AND the uploaded checksum file should ever become compromised.

[DiapDealer]

It appears that Bkav Pro does not have a very good track record at all with its heuristic W32.AIDetectMalware detections.

[Barlow]

I see, thank you very much for clearing up the doubt!

[DiapDealer]

Also keep in mind that one positive out of 68 checks is almost always indicative of a false positive.

[DiapDealer]

Welcome to the forum, by the way. You found the exact right spot to ask your question!

[Capricorn]

As to winget for installing: if you prefer a graphical interface for this, you could use UniGetUI - see https://www.marticliment.com/unigetui/

Works very nicely.

[DiapDealer]

Quote:

Originally Posted by Capricorn

As to winget for installing: if you prefer a graphical interface for this, you could use UniGetUI - see https://www.marticliment.com/unigetui/

Works very nicely.

I use that myself. It takes a bit up front to determine what you might want to ignore, or what you might need to freeze versions on, but I agree: it does quite well.

It also has the added bonus (or curse, depending on how you look at things!) of being able to be the gui manager for the Chocolatey and Pip (python) repositories, too. They can be disabled pretty easily if you don't want them.

I'm going to try and put together a down and dirty manuscript of how to Install/Update/Remove Sigil and PageEdit (as well as a guide for general querying of local installs and remote availability). Probably from the command line to start.

----------------------------------------------------

Winget is going to be my official recommendation for safely and securely installing Sigil and PageEdit from now on. Because ...

Getting a code signing cert for my Windows installers is just not in the cards, I'm afraid. The expense is the least of the difficulties (though that's bad enough). Not many companies even sell certs to individuals, and even if they do, they don't sell the EV level to individuals. Which means that users can still get scary warnings about unsafe downloads (until enough people download it). So what's the point? I'm not comfortable paying into a protection racket just to remove the "Unknown Publisher" warning. And that's all I'd be guaranteed with a personal code signing cert. Creating a legal organization entity for Sigil-Ebook in order to get an EV level signing cert would be even more hoops to jump through. That's not in the cards for what Kevin and I do as a hobby.

Winget removes the Unknown Publisher warning for free, because they (and "they" is Microsoft by the way) do their own scanning for malware, and do checksums to make sure the downloads have not been tampered with since they were submitted. So no scary warnings when you download/install with winget. Sigil updates are typically available on winget within days of a new release.