Viewing Trojan Warning on Our Rar/Zip Files, All False Positives

Mar202326

TLDR: Read the comments for updated information, this problem started year 2020, and disappeared shortly after, it has now appeared again in 2023.

IT IS ALL FALSE POSITIVES. THERE ARE NO VIRUSES IN ANY OF OUR FILES.

Windows Defender was patched in December of 2020 and they added some kind of protection that started giving false positives on password protected rar/zip archives. When googling the issue i can find several of people that are having issues with false positives “Conteban.A!ml” on rar/zip archives.

Here’s an example of a file that Windows Defender think was containing “Conteban.A!ml” but according to the much better scanner VirusTotal.com you can see the file contains no viruses. https://www.virustotal.com/gui/file/94007a3cbbb092d7b53af93c1f3b55b51d8b3e333d8c5115afe9e50e50358512/detection

When taking this “infected” file in a sandbox and running some analytics on it there’s nothing going on inside the rar archives, also when unpacking the file and re-packing it using the exact same data that was inside the “infected archive” the archive is no longer infected according to windows defender. For whatever reason Windows Defender seemingly is flagging random password protected rar/zip archives as “Conteban.A!ml” even though there’s nothing out of the ordinary with these files.

This is obviously very annoying to both our downloaders and us but we have no control over what windows does with their defender system. I don’t expect anyone to run files that are flagged as trojan and neither should you, always delete these files no matter where they come from to be 100% safe, but if you find a file from us that is flagged as trojan please let us know in the comment field below where the file was posted and we’ll investigate and fix new files for you to download, hopefully windows defender will get its shit together soon.

TLDR:
* Windows defender was updated on December 2020 and started giving false positives on random password protected zip/rar files
* None of the files we are hosting are infected these are all false positives.
* Please let us know if you find files that are flagged as trojan and we’ll fix them.
* Hopefully Microsoft will patch whatever incompetence they added to Windows Defender at the end of 2020 so we don’t have to deal with this in the future.
* Update 2023-03-18: It appears microsoft cannot fix the false positive issue, it is most likely related to an archive being password protected. We guarantee that all our archives are 100% safe and contain nothing but either images or video files.

15 comments

  1. Noobian says:

    Sounds about right. Have never and will never trust windows defender

  2. JackBlack88 says:

    For a multi-million (billion?) dollar company, they sure do produce some shitty products.

  3. drunkmonk3000 says:

    Thanks for explaining this. Can’t imagine what a headache this must be for you with . . . thousands? tens of thousands? . . . different password-protected *rar files being served.

  4. Anonymous says:

    Could it be a server related issue with k2s, hackers occasionally targeting files downloading from the site? Truly out of my depth but sounded plausible.

    • The Collector says:

      I already investigated this plausible cause and its not the problem, i can rar/zip a file and scan it and it will be perfectly fine then 10 days later whenever the defender definition updates the file is suddenly flagged as a virus (sometimes not always). And the file has been stored offline so there’s no one that could have been changing the source file. So its the defender updates that makes a file that previously was not flagged as virus to be flagged as a virus.

      My somewhat educated guess is that because windows cannot open password protected rar/zip files they have added some very bad ways of detection, something like file size is a probable cause because only files that are in the sub 200mb have been flagged so far, the smaller the file the more risk it appears. This is most likely due to the fact that actual viruses that are being spread via rar/zip archives are generally very small files and my guess is that defender saves the checksum/file size of each file that was caught being a virus and if one of our zip/rar files that are password protected match the exact file size of a previous file that defender caught having a virus it just auto flags the file as a virus to be on the safe side.

  5. The Collector says:

    I am bumping this years old post again, because it seems Windows Defender has had another bad update where it now randomly flags password protected archives as viruses, theres absolutely nothing we can do about this shitty behavior except give our guarantee that there are no viruses in any of our archives, only pictures or video files.

    The fact that a billion dollar company is doing such a terrible job with their product blows my mind but i am not surprised, the more bloated a company becomes the less focus comes to the actual product.

  6. SassyStacy says:

    I used defender on my first laptop and it deleted part of itself saying it was a virus. Typical Microsoft

  7. bobpar says:

    Thanks for the update, I had a false flag a few days ago, but it was from a VIP chat download. Remember that links in VIP chat do not carry The Collector’s guarantee, however VIP chat is full of trusted folks willing to help out and keep each other safe so reach out there if you have issues or concerns!

  8. Anonymous says:

    windows is a CIA operative

  9. Anonymous says:

    Conteban.A!ml sounds a lot like contraband, so maybe the files are getting flagged based on content.

  10. The Collector says:

    Bumping this post again because we’re getting bombarded by people having windows shitdefender screaming about trojans in rar files that only contain pure video or picture files

    1. Windows defender is horrible.
    2. Its all false positives, you can literally save the file and wait 2 weeks and suddenly the file that previously was a “trojan” is no longer a trojan. It comes and goes at complete random because windows defender updates its definitions automatically and it appears with a recent patch they fucked something up again making it give a massive amount of false positive on rar archives that are password protected.
    3. There is nothing we can do about this, we cannot call windows and tell them to fix their shit because some porn website is getting flagged as false positive, they don’t give a single fuck. They have to eventually fix their problem and they probably will just like they did in year 2020 when this problem first appeared, then it disappeared for a few years and now we are back in the saddle again.

  11. Anonymous says:

    Seems like Webroot is doing the same thing.

    • The Collector says:

      many of these operate from the same blacklist and hashlist, its kinda the way they operate, its unfortunate that it seems very difficult for these anti-malware to function properly on archive files they cannot scan since they don’t have the password for them.

  12. Anonymous says:

    May files have been intercepted, opened, and repacked with a virus upon downloading?
    Honestly, when I say that out loud that does NOT sound very plausible. Wasn’t rhethorical, though. But yeah the cross examination and testing does seem to confirm something is not right with Defender then.

    • The Collector says:

      I though about this already, but since i store all files we uploaded also locally on a offline nas network i copared the filehash of a file we uploaded and then was flagged as a virus vs the file that was stored offline in a vault, and the file hash is the same, so no modification took place in between. and the file that was stored offline was also suddenly flagged as a trojan. Its all false positives, its rooted in the fact that the antivirus does not have the password to the file so its very limited in what it can do to determine if its a virus or not since it has no way of knowing whats inside the file.

Leave a Comment / Request Re-upload of files