Keymagic 3 Antivirus False Positive Status

keymagic-3_antivirus_status.md

KeyMagic Antivirus False Positive Status

TL;DR: KeyMagic is safe! Some antivirus software incorrectly flags it due to the low-level system access required for keyboard input. We're actively working with vendors to resolve these false positives.

🛡️ Current Status Summary

x64 Version (v0.0.5)

• File Name: KeyMagic3-Setup-0.0.5-x64.exe
• Download: GitHub Release
• File Hash: B9E68E1C5A222CFD7F977EF634036C78AC033ED26C0EF7A5255A53AC7972AF59
• Total Detections: 9 out of 70+ antivirus engines
• Detection Rate: ~13% (typical false positive pattern)

ARM64 Version (v0.0.5)

• File Name: KeyMagic3-Setup-0.0.5-arm64.exe
• Download: GitHub Release
• File Hash: F708E5ADC84ECB6FA48C68A43AEED86A5259759672233B5228DBDE5728865982
• Total Detections: 4 out of 70+ antivirus engines
• Detection Rate: ~5% (typical false positive pattern)

Last Updated: [20-07-2025]

📊 Scan Results Overview

x64 Version Scans

Scanning Service	Detection Rate	Link
VirusTotal	6/72 engines	View Report
Jotti's Malware Scan	2/13 engines	View Report
Hybrid Analysis	2/27 engines	View Report
MetaDefender	1/engine	View Report

ARM64 Version Scans

Scanning Service	Detection Rate	Link
VirusTotal	2/72 engines	View Report
Jotti's Malware Scan	0/13 engines	View Report
Hybrid Analysis	2/26 engines	View Report
MetaDefender	1/engine	View Report

🚨 False Positive Reports Status

x64 Version Reports

Antivirus Vendor	Detection Name	Method	Date	Status	Notes
Bkav Pro	W32.AIDetectMalware	Email	20-07-25	🟡	Submitted to support
CrowdStrike Falcon	Win/grayware_confidence_60%	Form	20-07-25	🟢	Confirm
Ikarus	Trojan.Win64.Agent	Form	20-07-25	🟢	Email Confirm
Kaspersky	VHO:Trojan.Win64.Agent.gen	Form	20-07-25	🟢	Via Email
SecureAge	Malicious	Email	20-07-25	🟢	Via Email
G Data	Win32.Trojan.Agent.WZSN8T	Form	20-07-25	🟢	Support portal
Filseclab	Trojan.Alien.aiuu.lxaa	Email	20-07-25	🟡	Email contact
Cylance	[Generic Flag]	Form	20-07-25	🟡	N/A
Avira	HEUR/APC	Form	20-07-25	🟡	Heuristic detection
TrendMicro	[Generic Flag]	Form/Email	21-07-25	🟡	Report by U HLA

ARM64 Version Reports

Antivirus Vendor	Detection Name	Method	Date	Status	Notes
Bkav Pro	W32.AIDetectMalware	Email	20-07-25	🟡	Submitted to support
SecureAge	Malicious	Email	20-07-25	🟢	Via Email
Filseclab	Trojan.Alien.aiuu.lxaa	Email	20-07-25	🟡	Email contact
Cylance	[Generic Flag]	Form	20-07-25	🟡	N/A
Avira	HEUR/APC	Form	20-07-25	🟡	Heuristic detection

Status Legend

• 🟡 Waiting: Report submitted, awaiting response
• 🟢 Resolved: False positive acknowledged and fixed
• 🔴 Rejected: Vendor maintains it's malicious (unlikely for legitimate software)
• ⚪ No Response: No response after 2+ weeks

🔍 Why These Are False Positives

KeyMagic is flagged because it:

• Uses keyboard hook APIs (SetWindowsHookEx) to capture input
• Accesses registry for configuration storage
• Uses window messaging APIs for text output
• Operates at system level like other input method editors (IMEs)

This is normal behavior for keyboard software - similar to other IMEs like:

• Windows Input Method Editor
• Google Input Tools
• Various language-specific keyboards

📋 Evidence of Legitimacy

✅ Open Source

• Source Code: GitHub Repository
• Language: Written in Rust
• License: GPL-2.0
• Development: Active community development

✅ Low Detection Rate

• Only 9 out of 70+ engines detect it
• Pattern consistent with false positives
• No behavioral malware indicators

✅ Community Usage

• Used by Myanmar language community
• Users worldwide for custom keyboard layouts
• No reported security incidents
• Positive user feedback

🛠️ For Users Experiencing Warnings

If your antivirus flags KeyMagic:

1. Add to Whitelist/Exclusions

   • This is safe - KeyMagic is legitimate software
   • Add both the installation folder and the executable

2. Temporary Disable (during installation)

   • Disable real-time protection temporarily
   • Install KeyMagic, then re-enable protection
   • Add exclusion after installation

3. Report to Your Antivirus

   • Help us by reporting it as a false positive
   • Use the links in the table above

Alternative Download Verification

x64 Version

# Verify file integrity with SHA256
sha256sum KeyMagic3-Setup-0.0.5-x64.exe
# Should match: B9E68E1C5A222CFD7F977EF634036C78AC033ED26C0EF7A5255A53AC7972AF59

ARM64 Version

# Verify file integrity with SHA256
sha256sum KeyMagic3-Setup-0.0.5-arm64.exe
# Should match: F708E5ADC84ECB6FA48C68A43AEED86A5259759672233B5228DBDE5728865982

📞 Contact Information

• Project Website: keymagic.net
• GitHub Issues: Report Issues
• Developer: [Your Contact Info]

📈 Update History

Date	Update
[Date]	Initial false positive reports submitted
[Date]	Added G Data, Filseclab, Cylance, Avira to reports
[Date]	[Future updates...]

---

🔗 Useful Resources

For Developers (Similar Issues)

• Microsoft: Code Signing Best Practices
• How to Report False Positives to Antivirus Vendors
• VirusTotal Intelligence

For Security Researchers

• Static Analysis: Source code available on GitHub
• Dynamic Analysis: Hybrid Analysis report linked above
• Behavioral Analysis: Standard IME behavior patterns
• Network Activity: None - local keyboard processing only

Antivirus Vendor Resources

• FP Contact: https://docs.virustotal.com/docs/false-positive-contacts

---

Note: This page is updated regularly as we receive responses from antivirus vendors. KeyMagic remains safe to use - these are confirmed false positives due to the nature of keyboard input software requiring system-level access.

Last updated: [20-07-2025] | Next update: [Expected: 31-07-2025]

v0.0.6 - update later

• virustotal
• jetti
• hybrid-analysis