cancel
Showing results for 
Search instead for 
Did you mean: 
jonathandl
Active Contributor

GotoMeeting Opener.exe antivirus false positive

Hello.

 

When I was recently invited to a GotoMeeting I was prompted to download a GotoMeeting Opener.exe file.  As part of security best-practices I upload any executable file even from reputable sources to either viruscan.jotti.org or virustotal.com.

 

When I uploaded the GotoMeeting Opener to VirusTotal, 2/72 antivirus engines report the program is infected:  Antiy-AVL reports it is infected by Trojan/Win32.Tiggre, and CyLance reports it is unsafe.

 

Here is a permalink to the VirusTotal results:

https://www.virustotal.com/gui/file/f37bfb2d2a12fbfbce988c1f0a7722e9a20e40d1b8a0a942a57a0490ed353356...

 

Assuming this is a false-positive detection, can somebody from the company please report this to the 2 antivirus vendors in question?  You should be able to reproduce this problem by uploading your own software to virustotal.com.

 

Thank you.

Tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
AshC
LogMeIn Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Hello,

We believe that Cyclance is using a variation of the Windows executable format that may not be the industry standard, and thus causing this confusion.  The hash of our signed GoTo Opener exe should only change every 6 months or so.

 

What I would suggest doing is filing a report with Cyclance support to see what can be done from their side of things.

View solution in original post

11 REPLIES 11
jonathandl
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Hash of gotomeeting opener.exe has changed, but problem is still occurring.

https://www.virustotal.com/gui/file/f14a0c9da1072972d31bb919c5fbc25c369bc3e22b0bfa64f3a9047d81480b37...
Eddie3
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Our experience has been the hash changes each time you download the file so it is not possible to take any action due to the poor design of the application.   ANY other application that was flagged as being bad by antivirus could have the hash shared by the vendor and then you could whitelist it.  One would THINK you could install the MSI installer and then use the app installed to join a meeting by ID, but it still insists on shoving the opener program on you.

 

Options I know about:

  1. You whitelist the software by its certificate in your AV solution if you trust LogMeIn to not be compromised by a bad actor who infects their software to attack you by way of a trojan.  
  2. Use the Chrome option to attend
    1. Locate the confirmation email
    2. Right click on the join webinar button and copy the hyperlink
    3.  Add the parameter ?clientType=html5 to the end of the join URL from Step 2
    4. Copy the entire new URL with the newly added parameter
    5. Paste the new join URL in Chrome to join through the web browser
jonathandl
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Thank you your reply.  I have no problem opening the app, so there is no need for me to whitelist it... my point was simply to make LogMeIn aware that one of the VirusTotal scanners is detecting their program as suspicious, so they can take appropriate corrective action (either by fixing their software or telling the antivirus vendor to fix the detection).

jonathandl
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

I just re-checked, and now exactly one VirusTotal scanner (Cylance) detects the GotoMeeting opener .exe file as unsafe:

 

https://www.virustotal.com/gui/file/660cc5d427d2defdd1641f84f5159dae4f48bb39678cc1ca909ef3795d291c78...

AshC
LogMeIn Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Hello,

We believe that Cyclance is using a variation of the Windows executable format that may not be the industry standard, and thus causing this confusion.  The hash of our signed GoTo Opener exe should only change every 6 months or so.

 

What I would suggest doing is filing a report with Cyclance support to see what can be done from their side of things.

View solution in original post

jonathandl
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Thank you for your reply.  I think that you as the software vendor would be in a better position to open a ticket with Cylance as I am not their customer.

 

In fact the GotoMeeting software works perfectly fine in my environment; I'm a customer of a customer of GotoMeeting whereas I'm a free user of VirusTotal and am not a direct user of Cylance at all.  I just happen to use VirusTotal to screen programs (such as yours) that I download in case I accidentally typed the download URL wrong.

AshC
LogMeIn Contributor

Re: GotoMeeting Opener.exe antivirus false positive

@jonathandl Here's their contact page, we don't generally reach out to security vendors ourselves unless there's a provider specific to certan OS:  https://www.virustotal.com/gui/contact-us 

Eddie3
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

Um, you are incorrect on the hash not changing for 6 months. The hash changes every time you download the file.   As a paying customer for your products, I spent HOURS on the phone with various persons trying to get LogMeIn's attention LAST YEAR.  I was told the product was designed to change the hash each time it was downloaded, but no one seemed to know WHY.  I was told someone would call me back, but days, weeks, months later no one did.  I resolved our drama by whitelisting programs signed by your company, but I held my nose doing it.

 

Don't just take my word for it:

  1. Build a virtual machine running Windows and leave off any security software.
  2. Schedule a webinar on your regular PC and start the webinar on your regular PC.
  3. On the VM without ANY security softare, visit gotowebinar.com and join the webinar using the 9 digit code.
  4. Download the Goto Opener.
  5. Download the Goto Opener a second time.
  6. Calculate the hash for each file...you will see they are DIFFERENT each time you download.

certutil -hashfile  "GoToWebinar Opener-1.exe" SHA1
SHA1 hash of GoToWebinar Opener-1.exe: 8c8697d3a2b7a4676df065040992bcfa5ed9670f
certutil -hashfile  "GoToWebinar Opener-2.exe" SHA1
SHA1 hash of GoToWebinar Opener -2.exe: 753328e7eb829df3a99b7d20f378882e73f3b9f1
CertUtil: -hashfile command completed successfully.

 

 

 

jonathandl
Active Contributor

Re: GotoMeeting Opener.exe antivirus false positive

I thought the reason the hash changes each time was because the meeting ID is somehow compiled into the code, i.e. it's "hard coded" into the .exe.  (I don't know why different instances of the program would be different if they were all for the same participant in the same meeting.)  Regardless, it doesn't affect me directly because our security software doesn't block it.  But it's security best practice to check downloads against virustotal.com and not run the program if it doesn't come back as clean.  Frankly it would make far more sense for LogMeIn, the vendor, to contact the engine vendor directly, rather than me contact VirusTotal since neither VirusTotal nor I really have all that much to do with this, other than just passing information along.

 

If I wrote a program and sold it to the public then I would take pride in it and contact any antivirus vendor whose engine detects my product to find out why.