False Positive: BitDefender quarantining binary (also flagged by 3 engines on VirusTotal)

[danstis]

Issue

Hi,

First of all, thanks for creating Claude Code Usage Monitor — it’s a really useful tool.

I wanted to raise something I recently encountered in case it is useful to be aware of.

Issue

BitDefender on my system recently quarantined the binary for Claude Code Usage Monitor, flagging it as potentially malicious.

Out of caution I uploaded the binary to VirusTotal to see if other engines were detecting anything.

VirusTotal results show 3 engines currently flagging the file as malicious, while the vast majority report it as clean.

VirusTotal report:
https://www.virustotal.com/gui/file/bbea4de4bbee8cd649aefb2aaa6f7e0948d909f5d5e60352c7d3779e8cffbe92?nocache=1

Notes

I suspect this may simply be a false positive, which can sometimes occur with compiled binaries from smaller projects. I have scanned the code and am satisfied that there is no malicious code, but the way the app runs likely triggers that false positive in the AI/ML/heuristics rules.

I’m not sure there’s much that can be done from your side beyond potentially submitting false positive reports to AV vendors, but I wanted to raise it as an FYI in case:

• other users encounter similar behaviour
• you want to submit a false positive to BitDefender or the engines flagging it

Environment

• OS: Windows
• Antivirus: BitDefender
• Binary source: GitHub release

Happy to provide any additional details if it helps.

Thanks again for the project!

[CodeZeno]

Thanks for reporting this and for including the VirusTotal link. Based on what you've described, this looks consistent with a heuristic false positive rather than evidence of malicious code. The project is fully open source, so anyone can inspect or build it from source, but the released Windows binary is currently an unsigned standalone EXE, which can hurt AV reputation.

This app also does a few Windows-specific things that AV engines sometimes dislike in combination: it embeds into the taskbar, reads Claude credentials, makes outbound API requests, can refresh tokens by launching the Claude CLI, and can optionally be registered to start with Windows. I'm going to submit the flagged binary to the vendors that reported it as a false positive and review whether I can reduce the likelihood of future detections.

If you still have the alert details, the most useful extra information would be the exact Bitdefender detection name and the specific release version you downloaded.

[danstis]

@CodeZeno in BitDefender this was the log item:

Malicious application detected on your device
March 13 at 9:38 PM

Feature:
Antivirus

The app C:\Tools\claude-usage\claude-code-usage-monitor.exe infected with Gen:Variant.Doina.118749 was moved to quarantine. It is recommended that you run a System Scan to make sure your system is clean.

I restored the file from quarantine to get the version, it was version 1.0.11, which is slightly different than the link I provided for virustotal, here is the scan of the 1.0.11 version: https://www.virustotal.com/gui/file/9bf9563b3b5b2a7ca3a853646e1b3543106db8f69cebb046498b3f9e341f4ca6?nocache=1

I had these issues on another windows app that I created with go, and ended up getting an open source signing cert from OSSign: https://ossign.org/. They did take a few months to work through the process though.

[CodeZeno]

Thank you for the info. I have added some extra metadata to v1.0.14 scan result: https://www.virustotal.com/gui/file/23c95124e9494a5af5f3460802d801c4b39836ae906f257e818e76d94cf4e9e7/detection

I have looked at the signing options and it would be great but a big process for a small app.
Unfortunately the patterns in this app are similar to that of malicious software e.g. reads Claude Code credentials then makes calls to remote locations (Anthropic). Has the ability to start with windows, hiding of the console when it refreshes token etc so I can see why it would be flagged incorrectly. But it is open source and people can verify everything it does.