VoIP Blog

WebPhone false alert

By SuperUser Account on 10/7/2020

The webphone is triggering a false positive by some virus scanners

According to virustotal.com some virus scanners incorrectly marks our software as dangerous.

The false positive us cased by our NS engine installer -WebPhoneService_Install.exe- which can be found in the webphone.zip under the "native" subfolder.

Here we declare that the webphone and its WebPhoneService component have been created by us, it works as specified by its software documentation and it doesn't contain any malicious code nor it leaks any private data.

The webphone is a VoIP (SIP) client software sold to developers. It is our best-sold software since years.
A detailed description about the webphone can be found here:

What is the WebPhoneService engine and what it does more exactly:
The WebPhoneService is an optional component for the webphone, often referred as the "NS engine", that might be used in some circumstances if the users don't have or don't wish to use WebRTC.
It has a single file installer (WebPhoneService_Install.exe) and it runs as a windows NT service by listening on a secure localhost websocket port (WSS) providing VoIP capabilities for our webphone, communicating with the requested SIP server using the standard SIP and RTP protocols to make and receive VoIP calls as configured by the webphone users.
The installer can be found in the native subfolder if you unpack the webphone.zip.

Here is the download link to our webphone (the whole package, containing also the "suspicious" WebPhoneService_Install.exe):

Here is the direct download link for the WebPhoneService_Install.exe (extracted from the webphone package):

There is no any malicious bits in our software, we don't collect any user data and the software works as expected after its specification.
We already asked a review from Google, but the request was automatically rejected, apparently by an automated process (Google don't care to read our request or to allocate a few minute time by a human to avoid ruinning a healthy business by their buggy automated processes).

We are trying to guess what is triggering the false alert:
•    The software doesn't a lot of things and we suspect that one of the followings are wrongly detected as "suspicious activity":
•    It tries to download and deploy a JVM (java virtual machine) if a JVM is not already installed on the PC (this is required because internally the NS engine uses our Java based JVoIP software as the SIP stack)
•    It makes calls to taskkill.exe (this is used to kill the service own processes to make sure that all resources are released before (re)install)
•    Modify registry settings (for example to register itself as a SIP URI handler)
•    Uses the audio devices (apparently, this is a must for VoIP calls)
•    Might auto download a TLS certificate maintained by Let's Encrypted to be used for WSS (secure websocket)

We also provided customized/branded builds for our customers. This is exactly like the original, with the following changes:
•    The software file name is renamed after our client brand or company name
•    All references to us (Mizutech SRL) or our websites (www.mizu-voip.com) are removed or replaced with the client company name and website address
•    Restrict the usage only with the customer SIP servers (we ask the address of the SIP servers from our customers and "hardcode" these addresses into our software to disallow the usage with other servers)

We have contacted all the affected virus scanners today and submitted our software as false positive to be white-listed.
Hopefully the problem will be resolved within a few days.
Thank you for your understand and your continued support.