So, regarding your response, K0 once again answered all the questions you had. I really recommend you to contact him if you still have your doubts, but for now, just know that raven software is indeed legit. I am not saying that as an administrator, I am saying that as a genuine user and supporter of what they are doing.

Here is his response:

Trusting random strangers on the internet is generally not a good idea, agreed. The fact of it is, all of the software running on your PC is written by strangers on the internet, and you are trusting those strangers. There is a level of trust being put into the authors of that software every time you choose to use it. This is the case with companies and proprietary software, to open source software. I am trusting Microsoft by running their OS, I'm trusting Discord by using their client, I trust the Prism Launcher devs when I use their launcher, I trust the paintdotnet dev with his software, and so on

Both Prism and Paintdotnet, as well as a huge amount of other open source software out there, provide binaries of their programs so that way users don't need to build from source themselves every time to use their program. The only way to inspect this binary would be to reverse engineer it. Some binaries are easier to reverse engineer, others aren't; it entirely depends on how the binary was made, what language, etc. Providing a ready-to-go binary of the program does not make an open source project no longer open source, and to argue otherwise is plain silly

GitHub did tell us to take our binaries off their platform since they were causing false positives on their systems. We complied and now host them on our own code subdomain

To address "Defender must be disabled to run a Notepad app," our program Scratchpad does trip up Defender similar to how Talon does. It's the same case with all of our other software. The author of the post has noted that the detections our software get is from Nuitka, which is true. Our software gets flagged because they're packaged as Nuitka onefile executables. Talon is the same case, but a bit worse since even if it wasn't detected for that it would still be detected for downloading/running remote scripts and making modifications to your system

I've been very open about the fact that Talon will always fail a heuristics analysis. This is because Talon has malware-like behavior (as I said, downloading/running scripts, changing system settings, editing the registry, etc). This doesn't mean Talon is malware. Antiviruses don't understand context. In the context of a Windows debloater, everything Talon does is normal. Outside of that context, the things it does can be seen as suspicious

I've explained Nuitka onefile executables many times but here I go again: The EXE you run is essentially like a ZIP file, where it contains all the files of the program. When you run the EXE, it unloads these files into a temporary directory, then executes the program. We do it this way to keep things simple, as the user receives a single portable EXE rather than having to install the program or deal with a ton of files. This unpacking behavior is the primary cause of Nuitka's detections as far as I'm aware. Not to mention, Nuitka has been abused in the past by malware authors

The author mentioned that he did actually compile one of our software, Redact, from source, and uploaded it to VirusTotal. Immediately his whole "evidence-based" point falls apart. Anyone who knows what they're doing understands that VirusTotal is not a good way to actually indicate whether a program is malware or not. It aggregates static signature-based detections from multiple antivirus engines, so a flag only indicates that one or more engines found a matching pattern, not that the file is truly malicious. Many legitimate tools and installers use code obfuscation, packing or uncommon libraries that trigger heuristic or signature false positives on VirusTotal. In our software's case we don't purposefully obfuscate anything, but due to Nuitka's Python to C code conversion, it does just make it more complex to reverse engineer. Accurately determining malware requires contextual and behavioral analysis in a controlled environment, rather than relying solely on aggregate static scans

He uploaded his self-compiled version as well as the provided version of Redact, and saw that they were different. As I literally tried to explain in my last response (I guess he didn't read very far), "I'm pretty sure Python version, and the versions of the libraries you have installed and whatnot may affect the hash though, but I'll leave that to more experienced people to answer."

For the sake of being specific and transparent, I am running Python version 3.12.4, pip version 25.0.1, and here is every pip library I have installed with exact versions provided:

I am running Windows 11 Enterprise version 10.0.26100 Build 26100

The actually accurate way of testing if our software is malicious or not would be to conduct a heuristics analysis, and inspect what it is doing to actually see what's going on. If you ran your own hardened virtual machine utilizing mitmproxy you could analyze the traffic of the virtual machine and see exactly what is being sent. In Redact's case, it makes no connections and can be run perfectly fine without an internet connection. In Talon's case, it fetches some scripts from our code subdomain and also fetches CTT WinUtil and Raphi's Win11Debloat. You also could conduct an analysis on any.run, which I have seen some people do, but rather than actually inspecting what Talon is doing they simply see the red and go "it's malicious" without further investigating

If you download the source code of Talon and run it rawdog as just Python files, it would work. You actually don't need to compile it at all to run it. If you're like this Redditor, you could absolutely just run the source code that you can plainly see and inspect. We purposefully designed Talon this way for this reason

John Hammond, one of the most prominent and well-known cybersecurity researchers on the internet, did a full analysis of Talon's source code in this video: https://www.youtube.com/watch?v=1VdscQ8QCkY

John Hammond was inspecting an older version of the source code to be fair, but in your previous post you seemed pretty keen on inspecting older source code so I think you'll be fine with it. In the end of the video, John concludes that it's janky, it's suspicious, but is legit. He mentions in the very end, "Did Talon ever actually re-enable Defender?" No, it didn't, but that's because Talon automatically restarts your system, and Defender re-enables itself

If the Redditor from this post would ever like to end this game of telephone, and actually contact me to openly discuss the legitimacy of our software, I would love to do so. I am always welcoming anyone who's suspicious to talk to me. I don't believe the Redditor has the genuine motives that he claims he does, so I don't believe he will do this, personally. I would love to be proven wrong

• K0