FYI, VirusTotal is reporting your exe file contains a trojan. It wouldn’t surprise me if it’s just a false positive with so few virus detections, especially since the app is intended to download and install other code (this kind of logic can easily trigger a false positive for trojan/rat). Afaik, the way to get these issues fixed is give the virus scanning company a copy so they can test/whitelist it.
Also, from my own perspective, having NT launch without entering a password is a nice feature. However, allowing an application access to my password (particularly for financial software) raises alarm bells. Add to that the closed nature of the tool and the lack of any reputation in the industry and I have to pass just on principle.
Considering you are giving away the app for free, why not post the source code on github (or some other code sharing site)? It would go a long way to alleviating any security concerns if the code can be audited.
I’m with Mark. As a former highly paranoid Information Security/IT guy, I would have HUGE reservations about using such a tool. It’s a great concept though. But hard pass from me.
Thanks for pointing this out, it’s a fair thing to look at.
Just for context for anyone reading this, VirusTotal aggregates results from dozens of antivirus engines. It’s not unusual to see one or two engines flag a file while the rest don’t, especially for tools like this. In this case, 69 engines did not detect anything suspicious, which is the more meaningful signal.
The reason a small number of engines might flag it comes down to common heuristics:
The launcher downloads and runs MSI installers from the official NinjaTrader servers. That “download + execute” pattern can resemble a dropper.
It uses UI automation for the login screen, which is something malware can also do.
It includes a self-update mechanism that replaces the executable with a newer version, which can look like self-modifying behavior.
The code is obfuscated with Agile.NET, which limits how easily antivirus engines can inspect it.
When you combine these, it’s not surprising that a small minority of engines might raise a generic flag. That’s why VirusTotal results should be interpreted as a whole rather than focusing on a single detection.
By my guess, if you take pretty much any obfuscated library distributed by a “trusted” vendor and run it through VirusTotal, you’ll likely see similar results. This isn’t specific to this tool, it’s just how these heuristics tend to behave.
That said, this whole security discussion probably deserves its own separate thread. I’d appreciate keeping this topic focused on the product itself, its functionality, and actual user feedback.
That’s a totally fair stance, especially with that kind of background.
Out of genuine curiosity, this actually feels like a perfect case for that “paranoid” approach in practice. Running it in a sandbox, watching its behavior, maybe even inspecting outbound traffic, and then sharing what you find would be really interesting and valuable for everyone here.
If you ever feel like taking a deeper look, I’d definitely be curious to hear your findings.
As a side note, I ran a VirusTotal scan on one of your own binaries from your website and it also shows a detection. That doesn’t mean your software is malicious, it just shows how common false positives are in this space.
Thanks, I put a lot of effort into the UI, I’m glad it shows.
As for open source, it makes a lot of sense if you want others to contribute. But it’s not the direction I want to take. I prefer keeping the IP and not having to deal with others monetizing or exploiting something I’ve spent a lot of time building.
I told AI a random dude is offering everyone an exe on a forum, the app is free and has an awesome UI , his app will store my ninjatrader login details and automatically log me in when the machine starts.
AI basically said this is an obvious scam.
This might be the first scam on this forum since it started.
Calling this an “obvious scam” without looking into it is a bit much.
I’m not some random anonymous guy. My full name is on the website, and I’ve been in the trading space for over 13 years. You can find me on LinkedIn, UpWork, and elsewhere. That kind of history is pretty easy to verify.
Also, realistically - what would I even gain from someone’s NinjaTrader credentials? They’re not tied to your brokerage or bank unless you’re reusing passwords across services, which you absolutely shouldn’t be doing.
That said, I actually encourage the cautious approach. If you’re unsure, run the executable in a sandbox, monitor it, inspect network traffic - seriously. If you find something suspicious, share it. I’d want to know too.
But dismissing it outright without any proof is just… lazy. It’s easy to throw that label around, but it doesn’t help anyone understand what’s actually going on.
If you have specific concerns, bring them up. I’m more than open to addressing them directly.
Could you clarify what “original tool” you’re referring to?
The NinjaTrader login screen itself was introduced on March 4, 2023 (v8.1.1.0), so I’m not sure how an auto-login solution for that specific workflow would exist back in 2017.
That said, I don’t doubt that other developers have built utilities to streamline their workflows, that’s common. I built a CLI tool years ago for personal use with the same functionality the Launcher provides today, and it evolved naturally as NinjaTrader introduced new friction points. The UI is a recent step to make it accessible and share it publicly. It’s not unusual for solutions to overlap.
Just to be clear: this isn’t a fork of any existing project. There’s no complex or proprietary logic behind the Launcher - it’s a simple tool designed to remove repetitive startup friction, which is also why I chose to keep it free.
I’m open to legitimate security concerns, constructive criticism, and discussion. However, claims like this are dismissive and unsubstantiated without any supporting evidence or technical reasoning.
To be fully transparent, I let GPT-5.5 generate a security audit from the launcher source code, and I am attaching it here for anyone who wants to read through it.
I’ll be addressing the valid concerns raised in the audit. In particular, I plan to switch username/password storage to Windows Credential Manager instead of the current custom config-based storage.
Regarding telemetry: I do collect the public IP address when capturing an exception and sending it to Sentry. The reason is support/debugging - it gives me a way to identify the origin of an exception. If a user reports a technical issue and provides me with their IP, I can find the related exception happening on their system and investigate/fix it more effectively.
Regarding the ca.pem patch: this exists because older NinjaTrader versions shipped with an expired certificate, which prevented connections to CQG. The patch is there to restore CQG connectivity for those older NT versions.
This is a very, very, extremely simple software, there’s no need to obfuscate code. And given the fact that you’re holding credentials for a financial application, and you’re based in another country, come on man!
Again, just put it in the freely accessible Ninjatrader directory!
————
You never answered this perfectly valid approach and path from a prior poster.
I dont know if your product is a scam and I am not making any such claims…although if you do end up being a scam then like I mentioned it would be the first one of this forum.
I did notice you joined this forum 2 weeks back, from your linkedin profile I get no evidence that the profile was not created last month, on upwork yes it looks like you did few projects between Dec 2023 and May 2024.
Looking at your profile picture and the image you have on linkedin i get an impression you are a 45 year old bald man sitting in a small room in hong kong. That feeling is based on my earlier experience of interacting with people online on the subject of trading. But hey if this is truly your face and that is truly your house then you have a good life, good on you.
If I was to build a tool like that, I would only monetise it if i am failing miserably as a trader, and even in that case I would make it opensource and request for a coffee once every month rather than an upfront subscription.
The product page spells it out: stored locally, encrypted with Windows DPAPI, tied to your Windows user account, never leaving your machine. That’s the same mechanism Windows itself uses for stored credentials.
What difference would that make? I don’t want to manage two different repositories for versioning.
Since the “why not open source” angle keeps coming up, let me be more specific about why:
The project isn’t an isolated repo. The Launcher lives in a monolith solution alongside the website, other licensed products, and shared infrastructure. Extracting just the Launcher into a clean public repo isn’t a five-minute job, and the effort doesn’t justify it for a free tool I’m maintaining on the side.
Secrets embedded in the build. The self-update mechanism, Sentry crash reporting, and other services rely on API keys and endpoints that are baked into the build pipeline. Publishing the source would mean either exposing those secrets or neutering the project to the point where what you’re reading isn’t what’s actually running - which defeats the purpose of the audit.
Obfuscation is a consequence, not a choice made to hide anything. The codebase shares tooling with licensed products where obfuscation is a legitimate IP protection measure. Stripping it out for one project in a shared solution isn’t practical.
Open source doesn’t automatically equal trustworthy. Most users can’t audit C# source code themselves. The people who can are the same people who can run the binary in a sandbox, watch its network traffic, and inspect what it actually does at runtime - which I’ve already encouraged. A public repo would not meaningfully change the security picture for the vast majority of users.
You are, indirectly - you’re just offsetting the accountability to an AI so you don’t have to own the claim yourself.
If you’ve been in the NT community long enough, you’d know this forum is fairly new and the old one was archived. I had an account there going back to 2017.
I use the same photo across all services. My UpWork identity is verified by a third party against my legal documents. The LinkedIn cover image is a default one LinkedIn provides - it’s not a photo of my home.
https://whis.gg/products/launcher
