Some of the VirusTotal results flag the installer as malicious

[jorgwonline]

Hi,

I would like to try FlexASIO, however, before i install new tools i have the habit of checking it first against 'www.virustotal.com' .
I noticed that 2 vendors indicate that installer exe file may contain malware/trojan.

What is your opinion on this?

[dechamps]

From past experience, it's quite typical for VirusTotal to randomly report a small number of false positives regardless of the file, especially for unpopular/obscure software. 2 out of 71 is basically nothing as far as typical VirusTotal reports are concerned, and is almost certainly caused by some overzealous heuristics in some antivirus software getting confused.

The FlexASIO installer that I publish is not even one that I built on my own machine; it's built by GitHub themselves through a GitHub Actions workflow, i.e. a build procedure that is transparent and publicly verifiable. I would normally suggest that you compare the hashes of the GitHub actions workflow output with the file you have so that you can prove to yourself that they're the same (as I suggested to someone else making the same complaint about another piece of software I wrote). However GitHub Actions outputs expire after 3 months, and FlexASIO 1.9 came out more than 3 months ago, so it's not possible to compare hashes for that particular executable sadly.

Given the installer was built through a GitHub Actions workflow, there are only two ways malware could have made its way into the installer: either the malware was included as part of the workflow, or GitHub Actions runners (which are run by GitHub, i.e. Microsoft) have been compromised and are silently including malware in workflow outputs. Any software engineer can rule out the former by looking at the workflow and the source code it's pointing to, and observing that there is no malware being included anywhere. As for the latter, well... if GitHub was compromised in that way, it would have made front page news everywhere and FlexASIO would be the least of anyone's worries right now.

If you're still not satisfied, nothing stops you from building FlexASIO yourself - it's not particularly hard.