Emu48 : Malware infection or more false positives?

[Jonathan Busby]

Due to my move to Colorado, I had to pack up my Intel NUC Linux system. I was running Windows 10 in a VM on that system and I had Emu48 installed with no problems. Today, I installed Emu48, downloaded directly from Christoph Gießelink's web site, and I got the usual, but innocuous, "Windows protected your PC" warning -- this is just Microsoft's "SmartScreen"'s essentially reporting that the executable isn't known to Microsoft due to its hash code being unknown, the executable not being digitally signed or having an invalid or otherwise untrusted / unknown digital signature with respect to Microsoft's database of executables etc. Anyways, I'm running Windows 10 Pro x64 and this is the first time I've installed Emu48 on this particular Windows machine. After installing Emu48 with no problems and then configuring it and using it successfully, I tried to save Emu48's system state to an e48 file, but the file save dialog box locked up. After a few moments, I received a notification from Acronis True Image 2021 that the Emu48 executable had been "paused" because of a "Possible ransomware attack" or something to that effect. The "affected files" were just a bunch of Windows 10 icon cache files in my user profile directory. I let Acronis True Image block the Emu48 executable and then I did some further investigation : First, the installer file found on http://www.hpcalc.org and on Christoph Gießelink's own web site are the same. Secondly, I also have the latest version of ESET NOD32 Antivirus installed on this Windows 10 system as well as the latest version of Malwarebytes Premium and they detected nothing. Thirdly, I submitted both the installer and the Emu48 executable to VirusTotal and only *one* of the dozens of malware / virus protection / scanning engines / apps detected said files as "malicious". This leads me to believe that Acronis True Image's supposed "advanced" ransomware detection engine, which various technical reports cite as having a very low false positive rate, is indeed generating bogus results.

In the same vein as the above, a few weeks ago, after an update to Malwarebytes, Malwarebytes started blocking access to http://www.hpcalc.org and flagging it as a "trojan". I emailed Eric Rechlin and he reported that I was at least the fourth person in the past few months to report such behavior. I then had to whitelist http://www.hpcalc.org.

In conclusion, I really think that Emu48 being reported as being infected with ransomware is another bogus false positive, but I just wanted to be sure.

If anyone else can reproduce this behavior or has experienced anything similar I'd appreciate hearing about it ( I'm paranoid as *nothing* like this ever happens to me on Linux, and, I have been burned by Windows before with a rootkit infection ).

Regards,

Jonathan