Virustotal alerts for 7.1.0 and 7.1.1 releases

[lucas-koehler]

Dear Yubico team,

in a routine procedure before using a new binary, I uploaded the latest Linux releases 7.0.0, 7.1.0, and 7.1.1 to https://www.virustotal.com/. This runs over 60 malware scanners. Note that I don't have any reason to believe that anything shady is going on.

Here, I discovered that the 7.1.0 and 7.1.1 releases got flagged by 3 respectively 4 scanners while 7.0.0 did not raise any concerns.

While I do believe they are false positives, please have a look what could have caused this. Maybe there were some (transitive) dependency updates containing code that could be viewed as malicious?

Scans

No flags for yubico-authenticator-7.0.0-linux.tar.gz : https://www.virustotal.com/gui/file/ec6bdca21ffabb0565d0d63f3e5525953dbb98b7ac2263bacea3770a18555ee5

3 flags for yubico-authenticator-7.1.0-linux.tar.gz: https://virustotal.com/gui/file/c06e8dbe854d34370bba85f169d8ae88864c3e046875ff783557fb259d477837

4 flags for yubico-authenticator-7.1.1-linux.tar.gz: https://www.virustotal.com/gui/file/f553503a810ded105254d4b537434d4870657c5240bf43c1a47afae798ace3f2/detection

[lucas-koehler]

yubico-authenticator-7.1.1-win64.msi: 2 flags: https://www.virustotal.com/gui/file/504cf110520ad3a580d4d8e0d4c5130f9993a7cec3b7ae061b5af6a42cea9e79

yubico-authenticator-7.1.1-mac.dmg: 2 flags https://www.virustotal.com/gui/file/142b7fbdfe3a49f6e9c23f8951243e829ee082acd209d12f15ac2df8e48e4969

[dainnilsson]

Hi.
We are aware of the false positive flagging by some of the AV vendors included in VirusTotals scans. Unfortunately there is not much we can do aside from contacting the vendors for each case to report the issue, which we regularly do. Sometimes this leads to them addressing the false positive, sometimes it doesn't.