[Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope

[nostromo1940]

The problem

When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml
Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705

What version of WAU has the issue?

1.19.2-1

What version of Windows are you using (ex. Windows 11 22H2)?

windows 11 23h"

What version of winget are you using?

v1.7.3481-preview

Log information

No response

Additional information

Detected:Trojan:Script/Wacatac.H!ml
Status:Quarantine failed

Affected items:
containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip
file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk
webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705

[AndrewDemski-ad-gmail-com]

De ja vu?

…

________________________________ From: nostromo1940 ***@***.***> Sent: 27 December 2023 07:51 To: Romanitho/Winget-AutoUpdate ***@***.***> Cc: Subscribed ***@***.***> Subject: [Romanitho/Winget-AutoUpdate] [Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope (Issue #540) The problem When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705<https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705> What version of WAU has the issue? 1.19.2-1 What version of Windows are you using (ex. Windows 11 22H2)? windows 11 23h" What version of winget are you using? v1.7.3481-preview Log information No response Additional information Detected:Trojan:Script/Wacatac.H!ml Status:Quarantine failed Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705<https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705> — Reply to this email directly, view it on GitHub<#540>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ASAJCPVBAQ3Y7IJKIOKDY53YLPANLAVCNFSM6AAAAABBEAGX6KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TMOJYGY3TMMI>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[taffit]

Same here. At VirusTotal, Fortinet marked it as malicious, Arcsight as suspicious. The Microsoft Defender blocks it completely, with the link marked as malicious.
This came in with the last build! For the previous release, everything is ok. I would treat this as malicious until further notice. The link previously looked completly different. This is what the Defender reports (can't download the file to verify):

webfile: C:\~tmp\WAU-Configurator.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/448617645/e7710ebc-d105-4d9d-9723-5186d3ebf3fa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231228%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231228T155814Z&X-Amz-Expires=300&X-Amz-Signature=2d4c54f3fe7fa7d8a904802b3394447d24cfff0e1ce2a9743664e97082ad97f1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=448617645&response-content-disposition=attachment%3B%20filename%3DWAU-Configurator.zip&response-content-type=application%2Foctet-stream|pid:5936,ProcessStart:133482532884740429

[leberschnitzel]

it seems to be only the file "WAU Configurator.lnk" inside the archive is "infected".
The shortcut does the following:
%WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; ".\WAU\Gui.ps1"}"

It runs with elevated privileges, sets the execution policy to Bypass, hides the PowerShell window, recursively unblocks all files in the specified directory (which can be useful for removing the "downloaded from the internet" flag), and then executes the Gui.ps1 script located in the .\WAU\ directory.

Creating a shortcut with those parameters doesn't cause it to be flagged, so it seems like there's really something else in the shortcut....

[AndrewDemski-ad-gmail-com]

This will be recurring theme as long as project sticks to using predefined LNK file.
It will be always some GEN.TROYAN.XYZ or GEN.BADSTUFF.123.
Its all about detection method used by your AV software.
Those are reloaded with every AV update of definitions and there is nothing we could to to satisfy all AV products on the market.

The only way to get rid of this problem is to whitelist this file, but..

• You cannot whitelist a part of zipped archive
• You should not whitelist download folder of your web browser or temp folder

.. because that will leave your machine exposed to unnecessary risks.
Malware does not appear on your machines by itself, you do not create it yourself, it is usually downloaded from external systems.

Before Xmas I was planning to write a C# executable which would be used as windowless launcher for the rest of WAU family of products. I have it in my public repo but there is a long road before it will be production ready (compilation workload is missing).

[leberschnitzel]

I know, a bit "old school", but wouldn't a bat work and not cause a trigger?
%WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; "%~dp0WAU\Gui.ps1"}"

[GhostlyCrowd]

SentinelONE also has a heart attack over every single lnk made or prepackaged by WAU, it also Killed and Quarantined WAU-Policy.ps1

[AndrewDemski-ad-gmail-com]

I know, a bit "old school", but wouldn't a bat work and not cause a trigger? %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; "%~dp0WAU\Gui.ps1"}"

As usual, the devil is in the details.
Simply detecting a command for PowerShell to disable/bypass its code execution protection and hide the executed command/command window is enough information for the AV to raise an alarm.

Replacing parameters from the LNK file by moving them to a separate file/script will trigger the same "AV panic".

[taffit]

Windows Defender now also lets you download the file without any complains.
A small section in the ReadMe explaining potential false alarms and why these can happen (with a link to this issue) may help in the future, as users then already know that this is known and most probably just a false positive and that within days the AV will have corrected it.
Btw, thank you for this wonderful piece of software ...

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[Romanitho]

Thanks :)
Anyway, for the next version we probably need to think about another way to have it simple without antivirus screaming. I thought a "shortcut" would be simple, but I underestimated antiviruses :p

[Romanitho]

Could you please test with the latest pre-release (1.19.2-7)? Small change, but maybe make the diff :p

[rvtdadmin]

Could you please test with the latest pre-release (1.19.2-6)? Small change, but maybe make the diff :p

1.19.2-6 and 1.19.2.7 still have this issue with Windows Defender.

[taffit]

I was able to download both without any problems. But my Defender now doesn't complain even on the 1.19.1, where the problem first arose.

[github-actions]

This issue is stale because it has been open for 30 days with no activity.

[github-actions]

This issue was closed because it has been inactive for 14 days since being marked as stale.