-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope #540
Comments
De ja vu?
…________________________________
From: nostromo1940 ***@***.***>
Sent: 27 December 2023 07:51
To: Romanitho/Winget-AutoUpdate ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [Romanitho/Winget-AutoUpdate] [Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope (Issue #540)
The problem
When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml
Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705<https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705>
What version of WAU has the issue?
1.19.2-1
What version of Windows are you using (ex. Windows 11 22H2)?
windows 11 23h"
What version of winget are you using?
v1.7.3481-preview
Log information
No response
Additional information
Detected:Trojan:Script/Wacatac.H!ml
Status:Quarantine failed
Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705<https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705>
—
Reply to this email directly, view it on GitHub<#540>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASAJCPVBAQ3Y7IJKIOKDY53YLPANLAVCNFSM6AAAAABBEAGX6KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TMOJYGY3TMMI>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
Same here. At VirusTotal, Fortinet marked it as malicious, Arcsight as suspicious. The Microsoft Defender blocks it completely, with the link marked as malicious.
|
it seems to be only the file "WAU Configurator.lnk" inside the archive is "infected". It runs with elevated privileges, sets the execution policy to Bypass, hides the PowerShell window, recursively unblocks all files in the specified directory (which can be useful for removing the "downloaded from the internet" flag), and then executes the Gui.ps1 script located in the .\WAU\ directory. Creating a shortcut with those parameters doesn't cause it to be flagged, so it seems like there's really something else in the shortcut.... |
This will be recurring theme as long as project sticks to using predefined LNK file. The only way to get rid of this problem is to whitelist this file, but..
.. because that will leave your machine exposed to unnecessary risks. Before Xmas I was planning to write a C# executable which would be used as windowless launcher for the rest of WAU family of products. I have it in my public repo but there is a long road before it will be production ready (compilation workload is missing). |
I know, a bit "old school", but wouldn't a bat work and not cause a trigger? |
SentinelONE also has a heart attack over every single lnk made or prepackaged by WAU, it also Killed and Quarantined WAU-Policy.ps1 |
As usual, the devil is in the details. Replacing parameters from the LNK file by moving them to a separate file/script will trigger the same "AV panic". |
Windows Defender now also lets you download the file without any complains. |
This issue is stale because it has been open for 30 days with no activity. |
Thanks :) |
Could you please test with the latest pre-release (1.19.2-7)? Small change, but maybe make the diff :p |
1.19.2-6 and 1.19.2.7 still have this issue with Windows Defender. |
I was able to download both without any problems. But my Defender now doesn't complain even on the 1.19.1, where the problem first arose. |
This issue is stale because it has been open for 30 days with no activity. |
This issue was closed because it has been inactive for 14 days since being marked as stale. |
The problem
When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml
Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705
What version of WAU has the issue?
1.19.2-1
What version of Windows are you using (ex. Windows 11 22H2)?
windows 11 23h"
What version of winget are you using?
v1.7.3481-preview
Log information
No response
Additional information
Detected:Trojan:Script/Wacatac.H!ml
Status:Quarantine failed
Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705
The text was updated successfully, but these errors were encountered: