This is my first question, so please forgive me if I miss anything.
I scanned my ".exe" file (converted from ".jar" with launch4j )using VirusTotal and found some trojans. Then I scanned my ".jar" file, but it didn't find any threats.
I coded an application with Java. Then I packaged and converted my application into ".jar" format. Finally, I converted it from ".jar" format to ".exe" format using "launch4j". My application worked fine on my own computer. However, when I needed to run it on another computer, I received a virus alert from Windows Defender.
Since I had never encountered such a situation before, I immediately scanned my ".exe" file using VirusTotal and found these three threats: Trojan.Worgtop.Win32.63, W32.AIDetectMalware, Trojan.PSW.Worgtop.ak. Then I scanned my ".jar" file, but it didn't find any threats.
As a result, I began to suspect whether launch4j might somehow inject these viruses into my ".exe" file during the creation process. Do you think such a scenario is possible?
I am aware that "W32.AIDetectMalware" is a "(false) positive" threat. However, the other threats are concerning me. I searched for the other threats online, but I couldn't find a definitive answer.
Finally, how do you recommend converting a ".jar" file to an ".exe" file in the best possible way?
Edit
After lots of searching and with g00se's suggestion, I found the best way to convert a ".jar" file to an ".exe" file is by using the "jpackage" tool. It's included in the JDK, so it's pretty reliable for this job. Just to clarify, when I talk about reliability, I mean the trustworthiness of the tool itself during the conversion process.
EDIT
Following Michael's suggestion, I tried repackaging my ".jar" file using launch4j on a completely different computer. Unfortunately, it seems the result is still the same. I'm afraid those Trojans are being added during the conversion process to ".exe" format. Moreover, even when I tested it using hybrid-analysis, it was still labeled as "malicious". I wonder, which other open-source software we trust might be causing such issues?
After delving into research following my questioning, I found myself inclined towards creating my own packager. In this process, I had the opportunity to experiment with various packagers and adapt their methods. As a common outcome, I encountered the same issue across most packagers. This issue persisted not only when I downloaded and used them but also when I meticulously wrote individual lines of code myself in a secure manner.
I must admit that I rushed to blame the packager. The root of the problem lies in antivirus applications detecting vulnerabilities in all ".exe" applications that are not securely signed. Even when simply converting a basic code snippet using the tools provided within Windows, I receive approximately ten virus warnings. Of course, it's still entirely possible for downloaded software to contain viruses packaged within them. However, the main source of my problem lies in the secure packaging I mentioned. My research into secure packaging and signing is still ongoing...