Is Zwrap a virus or Russian3dScanner site Phishing?

Hello,

There is a product I use called Zwrap that a was trying to upgrade, but when I try to login to the company's website I get blocked by Malware Bytes.  Also when I try to download the plugin.  I thought maybe it might be a false positive so I downloaded it and scanned it with Norton Antivirus and Norton quarantine the file.  The site that makes it is called russian3dscanner.com I can login to the site and browse it just fine, its just downloading or logging in to my account I get blocked.   Is this a false positive or something to be concerned about?  Also I noticed this site started getting blocked starting around the time of the Russian, Ukrainian war, I believe it is a Russian based company.  I've always had good response from their support in the past they have been really outgoing and friendly, and have gone out of there way to help me out.  I'm just confused on where to ask about if the site is Phishing, or if the product is a virus now, if it was I don't think the creators of the product would let me know.  I tried to ask Malware Bytes support but they declined to help since I was using a free version of there software.  I would really appreciate the help if anyone could let me know. 

A little background on the product, Zwrap is a plugin for Zbrush a digital sculpting program, and what Zwrap does is wraps a organized 3d Model on to a high resolution 3D model, so the topology can be used in animation, and to bake textures.  Its a real game changer for 3d artists speeding up our workflows.

Thanks bjm_ that makes me feel a bit better about using the site and the plugin, I really appreciate you taking the time to look into this.

Pixel_Anatomist:
I'm still unsure how safe it is to still be using I'm hoping its just false positives, [...]

Please review: https://forums.malwarebytes.com/topic/301022-website-blocked-due-to-phishing/

 

Pixel_Anatomist:

 I'm still unsure how safe it is to still be using I'm hoping its just false positives, I'm just not that knowledgeable about cyber security issues. 

Regarding:
Filename: Faceform_ZWrap_2023.7.2_Setup.exe
Threat name: WS.Reputation.1
Full Path: C:\Users\Blood\Downloads\Faceform_ZWrap_2023.7.2_Setup.exe


fwiw ~ I imagine the WS.Reputation.1 detection that you reported [here] was cleared by Norton after Norton gathered more telemetry.  When I downloaded the file several hours later.  Norton gave this file a favorable rating [here] & [here].  To satisfy yourself.  Maybe, try downloading the file, again. 

Pixel_Anatomist:

I bought a subscription to the Zwrap plugin in November from the russian3dscanstore.com which I thought was the main store site for there products, [...]

Sorry, I'm not finding russian3dscanstore.com 

I'm finding: 

https://www.russian3dscanner.com/buy/

https://safeweb.norton.com/report/show?url=https://www.russian3dscanner.com/buy/ = Safe -> Technology/Internet

Strange, I bought a subscription to the Zwrap plugin in November from the russian3dscanstore.com which I thought was the main store site for there products, but after you mentioned faceform.  I looked it up and found all the same products listed there with download links.  My account with their company is on the russain3dscanstore site but it gets blocked when I try to visit it now.  It's got me a bit confused, my license for the plugin still works, and the files I download from faceform upgraded my plugin for zbrush with my license for the year still valid.  I'm not sure if the company has moved its location and decided to change the websites address from all the world changing events going on in that region the past year, or what is really going on with it.  I'm still unsure how safe it is to still be using I'm hoping its just false positives, I'm just not that knowledgeable about cyber security issues. 

fwiw ~ as test: 

https://www.russian3dscanner.com/download/

https://www.russian3dscanner.com/download-start-zwrap-win64/

https://safeweb.norton.com/report/show?url=https://www.russian3dscanner.com/download/ = Safe -> Technology/Internet

png_16528.png


Filename: Faceform_ZWrap_2023.7.2_Setup.exe
Full Path: C:\Users\user\Desktop\Faceform_ZWrap_2023.7.2_Setup.exe

Developers 
Faceform LLC

Version 
4.3.0.0

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 16 days  ago.

Good
Norton has given this file a favorable rating.

Source File: 
Faceform_ZWrap_2023.7.2_Setup.exe

File Thumbprint - SHA:
df06800904243dd6dbf5e9f7c7bdceb3ecf477902b39c6638606dc9ec645da1d
File Thumbprint - MD5:
2e49b6cb397b4875ecf33c39c59e7e4b

Sorry, I'm not familiar with russian3dscanner.com, faceform.com nor Zwrap.

On my machine from my location.

russian3dscanner.com resolves to faceform.com  and 

customer.russian3dscanner.com resolves to a blank white page.

That is weird so when I download from russian3dscanner it gets quarantined but when I download it from faceform it downloads as a zip file that scans with no threats, the zip file has scripts you copy into the plugins folder of zbrush.  I think the other file was a .exe file that installed it on the hard drive in the zbrush plugins directory.   I did manage to copy the files over and run them in zbrush and they are working.   

I am still confused as to why the files on the original russian3dscanner site seem to have risk both in malware bytes, and Norton, while the facefrom site seem to be fine.  This the the first time I have been aware of the faceform site, I guess it is an company based in Armenia.  Nortan does say the site is Suspicious with a caution warning in my chrome browser and may have a small number of threats and annoyances, but not considered dangerous enough to warrant a red waring, Proceed with caution.

fwiw ~ as test: 

https://downloads.faceform.com/file/faceform/ZWrap/2023.7.2/30f4a2618bb8bc0245f1418efa2968d4/Faceform_ZWrap_2023.7.2_Setup.exe

Filename: Faceform_ZWrap_2023.7.2_Setup.exe
Full Path: c:\Users\user\Desktop\Faceform_ZWrap_2023.7.2_Setup.exe


Developers 
Faceform LLC

Version 
4.3.0.0

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 16 days  ago.

Good
Norton has given this file a favorable rating.

https: //downloads. faceform. com/file/faceform/ZWrap/2023.7.2/30f4a2618bb8bc0245f1418efa2968d4/Faceform_ZWrap_2023.7.2_Setup.exe
Downloaded File  from faceform.com

Faceform_ZWrap_2023.7.2_Setup.exe

File Thumbprint - SHA:
df06800904243dd6dbf5e9f7c7bdceb3ecf477902b39c6638606dc9ec645da1d
File Thumbprint - MD5:
2e49b6cb397b4875ecf33c39c59e7e4b


VirusTotal report [here]

Thanks bjm_ for the links I will try to ask on the malware bytes forum to, if I submit a file to Nortan would I have to download the potentially harmful file again and upload it?

Sorry still kind of new to all this security stuff, this is what I see in my history for the file.

Filename: Faceform_ZWrap_2023.7.2_Setup.exe
Threat name: WS.Reputation.1Full Path: C:\Users\Blood\Downloads\Faceform_ZWrap_2023.7.2_Setup.exe

____________________________

____________________________


On computers as of 
8/7/2023 at 5:26:13 PM

Last Used 
8/7/2023 at 5:28:09 PM

Startup Item 
No
Launched 
No
Threat type: Insight Network Threat. There are many indications that this file is untrustworthy and therefore not safe


____________________________


Faceform_ZWrap_2023.7.2_Setup.exeThreat name: WS.Reputation.1
Locate


Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 16 days  ago.

Medium
This file risk is medium.


____________________________


https://downloads.faceform.com/file/faceform/ZWrap/2023.7.2/30f4a2618bb8bc0245f1418efa2968d4/Faceform_ZWrap_2023.7.2_Setup.exe
Downloaded File  from faceform.com
Source: External Media


____________________________

File Actions

File: C:\Users\Blood\Downloads\Faceform_ZWrap_2023.7.2_Setup.exeRemoved

____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available
 

fwiw ~ as test: 

https://www.russian3dscanner.com/zwrap/

https://safeweb.norton.com/report/show?url=https://www.russian3dscanner.com/zwrap/ = Safe -> Technology/Internet


Filename: Faceform_ZWrap_2023.7.2_Setup.exe
Full Path: C:\Users\user\Desktop\Faceform_ZWrap_2023.7.2_Setup.exe

Developers 
Faceform LLC

Version 
4.3.0.0

Few Users
Fewer than 50 users in the Norton Community have used this file.

New
This file was released 16 days  ago.

Good
Norton has given this file a favorable rating.

Source File: 
Faceform_ZWrap_2023.7.2_Setup.exe


File Thumbprint - SHA:
df06800904243dd6dbf5e9f7c7bdceb3ecf477902b39c6638606dc9ec645da1d
File Thumbprint - MD5:
2e49b6cb397b4875ecf33c39c59e7e4b

fwiw ~ as test: 

https://faceform.com/download-wrap/

https://safeweb.norton.com/report/show?url=https://faceform.com/download-wrap/ = Caution -> Suspicious


Filename: Faceform_Wrap_2023.6.4_Setup.exe
Full Path: C:\Users\user\Desktop\Faceform_Wrap_2023.6.4_Setup.exe

Developers 
Faceform LLC

Version 
4.3.0.0

Few Users
Fewer than 50 users in the Norton Community have used this file.

Mature
This file was released 2 months  ago.

Good
Norton has given this file a good rating.

Source File: 
Faceform_Wrap_2023.6.4_Setup.exe

File Thumbprint - SHA:
82976a389e425fe02e1fae716db4caeb80f8676eae5f88801fe02ab283c01127
File Thumbprint - MD5:
796f5c97f187346ca4eadec743591ac9

https://russian3dscanner.com resolves to https://faceform.com

Post your Malwarebytes Browser Guard question here ->
https://forums.malwarebytes.com/forum/252-malwarebytes-browser-guard/


Report a suspected incorrect detection to Norton
https://support.norton.com/sp/en/us/home/current/solutions/v126152382

Submit a file to Norton
https://support.norton.com/sp/en/us/home/current/solutions/kb20090602171902EN

Respond to incorrect Norton alerts that a file is infected or a program or website is suspicious
https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832EN


Please tell us what Norton is telling you regarding this event.
For information regarding this event > from Norton pop-up > View Details > Copy to Clipboard &or from Norton history > More Options > Copy to Clipboard > paste here.

For second opinion choose File &/or Search hash at VirusTotal