Local.exe identified as malware by WildFire antivirus Traps

Support
1

Hi Flywheel,

I recently installed Local by Flywheel on my workstation. I’m running version 5.0.7+1117 on Windows 10. Soon after our security team reached out to me and let me know that Local.exe was identified by WildFire antivirus Traps.

Is this a known problem?

I can’t attach a PDF to this thread, so for the time being, I’ve copied the relevant section from the report and pasted it below for your reference.

Thanks! :slight_smile:

2.1. Suspicious File Properties
This file was statically analyzed and the table below lists the suspicious items that were found. The presence of these suspicious items caused the sample to be further analyzed in the virtual machine sandbox configurations listed in the tabs below.

  • Contains overlay data with high entropy: Entropy is a measurement of the randomness in data. Overlays with high entropy indicate encoded or encrypted data.
  • Contains overlay data: Overlay data is extra data appended to the end of a PE image. Many legitimate files, including all files that are digitally signed, contain overlay data. However, malware often uses overlays to embed encoded or encrypted data as well.
  • Contains sections with size discrepancies: Sections with a large discrepancy between raw and virtual sizes may indicate a packed or obfuscated PE file.
  • Contains non-standard section names: Standard section names are defined by the compiler. Non-standard section names may indicate a packed or obfuscated PE file.
  • Contains a TLS section: Thread-local storage (TLS) is normally used to manage data in multithreaded applications. However, it can also allow execution of code outside of the expected entry point of a PE file.
2

Hi Thomas,

Thanks for bringing this to our attention! Local is comprised of numerous products such as Electron, PHP, MySQL, Nginx, and more—there are sometimes false positives. We try to do our best at avoiding these.

Here is a recent scan I ran at VirusTotal with Local 5.0.7 to see how anti-virus scanners are treating it: https://www.virustotal.com/gui/file/ec93b0667973843ce713d82e35c7d1ed0ccb387fdaf97a4d34e7adf7dfae2e11/detection. It looks like Zoner is currently flagging it which may be what powers WildFire.

In the meantime, I have reached out to Zoner regarding the false positive.

3

Hi Clay,

Thank you for following up. I’ll pass this along to our security team.

Cheers,

Thomas

4

Hi Clay,

I did uninstall Local for the time being based on the recommendation of our security team.

I’d love to have it back, however, so please let me know if you are able to address the issue.

Thanks! :slight_smile:

Cheers,

Thomas

5

Hi Thomas,

Zoner immediately reached back and said that they will be working to remedy the false positive.

I will reach out to WildFire directly regarding this matter.

6

Thomas,

I just rescanned 5.0.7 on VirusTotal and Palo Alto Networks (makers of WildFire) along with Zoner are no longer showing any threats.

See https://www.virustotal.com/gui/file/ec93b0667973843ce713d82e35c7d1ed0ccb387fdaf97a4d34e7adf7dfae2e11/detection

7

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.