Detected: PUA:Win32/Vigua.A

[ee21q]

Hey! Sorry to ask a noob question. I looked around here but didn't see this mentioned. I am running Windows 11. I just downloaded the PC zip from the site and Windows Security flagged this as a threat: PUA:Win32/Vigua.A

Doing a search online didn't turn up much other than saying this could be a threat.

Can anyone tell me what's up? Is this a virus in the download? Should I remove it? Is this a part of the software and therefore safe or benign?

Thank you!

[Robert Fraser]

The Windows installer has been virus-checked by Trend Micro anti-virus and that shows up no threats; the same applies to the various Soundshaper downloads on my site. As you'll appreciate, it's not practical to install more than one virus checker, but I'd be glad if other users were to flag up any threats their particular anti-virus software has detected, so that these can be followed up.  It is marginally possible that there could be a virus, but I'm inclined to suspect this is a false positive. When I run a new copy of Soundshaper on Win10, Trend immediately thinks it's found a threat, because the program is deleting files - of course it is, they're temporary soundfiles!

Ultimately, the user must make up their own mind about the safety or otherwise of this software which is supplied "as is". There's certainly no intention to spread viruses.

[ee21q]

Hi Robert-

Thank you so much for replying! Of course I never thought a virus or similar could be placed intentionally. I am inclined to trust the software and the page, plus running the download URL through VirusTotal flagged nothing but safe verifications from dozens of trusted sites. I was trying to play it safe, and I feel better having your response. I've been itching to use the software! I will try again.

Thank you!

[Robert Fraser]

Hi,
It's always better to be safe than sorry. I'll just add that if by any change there IS a virus in my machine, it's certainly not done any damage so far. Not to my files anyway. Also, I develop Soundshaper on a separate PC that is never connected to the internet, to keep it as clean as I can.

Robert

[ee21q]

Hi Robert!

Ok thanks for your continued support on this.

I downloaded the full windows zip again, same threat got flagged, which makes sense, so I decided to run the file itself through VirusTotal. I think these links are static, so here are the reports for the full windows zip, the lite windows zip, and the mac:

Full: https://www.virustotal.com/gui/file/ef2903e12683197ef066b2316965e9e7aa9e51392597a47a46cfd5278ad3edc9/detection

Lite: https://www.virustotal.com/gui/file/3c21d7d39daf4bbea85bd25831af6c7c4c399d8a5ed6c398c2fbbe984d330cd7

Mac Full: https://www.virustotal.com/gui/file/e3326d1354f449ce7069fe616e2d6d552d798a922b246fea9b2e3f424d0af36f

(LMK if those links don't work or if I inserted them incorrectly)

You are the developed, I do trust you. I merely want to share my findings so you can either dispel or investigate if needed. Based on the reports, and maybe they are false positives, but I feel best with the Mac install (which had no flags).

I am committed to using this software! I hope I can help in some way, not hinder, bother, or annoy.

Best

[Robert Fraser]

Thanks for this analysis. We'll try to follow these up. Two thoughts though: (1) I've not heard of any of the programs that found fault with the files - all the well-known anti-virus packages seem to pass them. (2) it's hard to believe that the Lite zip would be seen as more malicious than the full one, though, given that it has far fewer files - it's exactly the same as Full less the CDP Documentation, so that doesn't add up somehow.

[ee21q]

Hi! Yes I agree that the Lite shouldn't have even more flags. I scanned it as a comparison and assumed it would have less or nothing. But to your original point, could all be false positives. Truth be told, I am using a work laptop, hoping to mess around on my down time, so I'm playing it safe not to hose up my machine! But I have a Mac laptop and over the weekend I want to get this going on that machine. Again thank you for the time and support!

edit: re-read your reply and yes I see now that places like Kaspersky and McAfee and many others all passed it as safe. So that is significant.

[rwdobson]

To add a little more to this important investigation:

The reference to "PUA..." in the Sophos instance is explained by them here:

https://support.sophos.com/support/s/article/KBA-000004926?language=en_US

I find it interesting (not least as I used Sophos for all AV checking when I had a free account through Bath University; I now use McAfee) that they refer to their "Deep Learning" system. This is of course the modern AI approach, which is by its nature statistical, rather than the "conventional" AV paradigm of comparing against a database of known threats. On that page "PUA" means "Potentially Unwanted Application" (especially in the context of a "business netowrk") - which looks to me remarkably like the Gatekeeper system on the Mac for checking uncertificated downloads - and for which we document a standard workaround.

We are of course continuing to look at this, and will report here as and when.

[ee21q]

ooooo this is fascinating! I had not even considered that a "deep learning" approach was being used in detection nor how much it departs from the "conventional" approach. It makes sense to want to be able to catch a threat before it is known, but on the other hand you get this which I pulled from that support doc you linked: "However, due to the algorithmic nature of machine learning, it's not possible to identify why a false positive may have occurred."

Which seems important to our discussion here. There is a clear tradeoff between security (or sense of security) and control or even knowing. I am very interested to learn more!

[Robert Fraser]

We think the AV software is probably reacting to the self-extracting exe used for setup. I looked at the individual exe files inside the distribution and a random selection of the CDP ones scored completely "clean", as did Soundloom. Soundshaper,exe upset just one of the AV programs, which saw it as a PUP - Potentially Unwanted Program (same as PUA).

We'll probably switch to a disk-image ISO or a plain zip file, but this will mean revising the installation notes, which can't be done until after next week.  I'll post again when completed.

[Robert Fraser]

Having looked into this question a bit further, it seems clear that the self-extracting installer for CDP (PC version) has triggered false positives in some anti-virus software. In response, we've created zip-file alternatives: the "FULL" zip includes the offline CDP documentation, while the "LITE" zip is the same but without the documentation (which can be accessed online).  In addition, there is a Soundshaper-only version. These files can be downloaded from here: www.soundshaper.net/dloads.html#CDPZIP 

In each zip, there is a folder CDPR8 which contains everything you need and should be copied to a location of your choice (with a few caveats) and can be renamed as you wish. The CDP programs themselves are housed within a subfolder _cdprogs where they must remain for the correct operation of either GUI.

[ee21q]

Wow thank you so much for taking the time to look into this and address my concerns! I've gone ahead and installed the software safely on my machine!!! Thank you!!