New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Squirrel.exe gets quarantined as a virus threat with each ATOM update by Cylance Protect #16986

Closed
wurmtal868 opened this Issue Mar 19, 2018 · 9 comments

Comments

Projects
None yet
6 participants
@wurmtal868
Copy link

wurmtal868 commented Mar 19, 2018

Prerequisites

Description

Each time ATOM,IO gets receives an update squirrel.exe gets quarantined by Cylance Protect as a suspicious threat

Steps to Reproduce

  1. Check if you have Cylance Protect installed:
    cylance

  2. Apply an update

  3. Wait for the popup:
    cylance_threat

Expected behavior:
I expect that the updater does not behave the like virus

Actual behavior:
Help>About shows now ATOM version 1.24.1 x64 while the command line still shows version 1.24.0
I have folders for the latest and all previous installed version of ATOM on my system.

Reproduces how often:
I have seen this on the updates from 1.23.3 -> 1.24.0 and 1.24.0 ->1.24.1

Versions

I'm using on two systems one with Windows 7 the other with Windows 10

atom --version:
Atom : 1.24.0
Electron: 1.6.16
Chrome : 56.0.2924.87
Node : 7.4.0

apm --version:
apm 1.18.12
npm 3.10.10
node 6.9.5 x64
atom 1.24.0
python 2.7.14
git
visual studio

Additional Information

It seems that squirrel.exe has different check sums although the file size has not changed from the previous version. That may makes it look like a mutating virus.

@Floakey

This comment has been minimized.

Copy link

Floakey commented Mar 19, 2018

This is expected from NGAV products like Cylance/Carbon Black/whatever. They look at not just the signatures (sha256 hash in most cases) but the behavior of the application, processes started, commands run, invocations, etc. There is not much a developer can do to prevent this. Until the ngav provider has had a chance to scan and whitelist the application, this will continue to happen. You'll either have to add a policy exclusion for the path the .exe runs from or whitelist the process itself.

Exclusion would look something like:

\Users*\AppData\Local\Atom\app*\squirrel.exe

**edits: adding exclusion and formating

@wurmtal868

This comment has been minimized.

Copy link
Author

wurmtal868 commented Mar 19, 2018

In our enterprise environment I'm not in a position to get white list any version of squirrel.exe.
The version that came with 1.24.0 was quarantined and white listed on request. I cannot get an exclude for the upper level path. So the update to version 1.24.1 was quarantined again. What else can I do?

@Floakey

This comment has been minimized.

Copy link

Floakey commented Mar 19, 2018

Often, once the ngav providers see the update and can scan - it ends up being listed as a known_good application and will work within 24 hours. If not, I would contact a member of your IT team to discuss with them.

@Floakey

This comment has been minimized.

Copy link

Floakey commented Mar 19, 2018

My suggestion being wait and try again tomorrow.

@lee-dohm

This comment has been minimized.

Copy link
Member

lee-dohm commented Mar 19, 2018

I can understand that this is frustrating. However, attempting to convince the myriad anti-virus systems that our installer is safe is not something that we're going to be devoting any significant time to. Figuring out a system that allows us to easily install, dynamically update, and isn't flagged by all anti-virus systems just isn't our area of expertise or what we're interested in working on. Since this isn't something that we're going to prioritize, I'm going to close this.

@lee-dohm lee-dohm closed this Mar 19, 2018

@TheGoobertron

This comment has been minimized.

Copy link

TheGoobertron commented Apr 19, 2018

If squirrel.exe was signed it would be much easier for people to whitelist this using certificate based whitelisting. That way future iterations will not be quarantined by the AV.

@dancapper

This comment has been minimized.

Copy link

dancapper commented Jul 16, 2018

Seconding the above - this is a major issue in many corp environments now - if the exectables were signed then it's easy to just trust the certificate and avoids this problem

@TyrelCB

This comment has been minimized.

Copy link

TyrelCB commented Jul 25, 2018

Downloading the Zip, Extracting, and running from there works like a charm if your running into issues with the install due to Cylance.

@lock

This comment has been minimized.

Copy link

lock bot commented Jan 21, 2019

This issue has been automatically locked since there has not been any recent activity after it was closed. If you can still reproduce this issue in Safe Mode then please open a new issue and fill out the entire issue template to ensure that we have enough information to address your issue. Thanks!

@lock lock bot locked as resolved and limited conversation to collaborators Jan 21, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.