Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Label Updater so Windows RansomWare knows what it is. #6042

Open
Midnex opened this issue Sep 16, 2019 · 4 comments
Open

Label Updater so Windows RansomWare knows what it is. #6042

Midnex opened this issue Sep 16, 2019 · 4 comments

Comments

@Midnex
Copy link

@Midnex Midnex commented Sep 16, 2019

Description

When Brave attempts to update it runs an exe called setup.exe. This program is generically named and flagged by Windows Ransomware protection. It simply sees it as Setup.exe with no further information. Searching for the file and seeing it has the same time stamp as the alert finally made me realize it was Brave trying to update, though I had it blocked via Ransomware protection.

Steps to Reproduce

  1. Enable Ransom Ware Protection in Windows
  2. Attempt to update Brave
  3. Watch as windows flags and blocks the installation.

Expected result:

To show BraveSetup.exe or something to say its not some generic virus trying to be installed. I blocked if for 4 months till I finally decided to check it out.

@rebron
Copy link
Collaborator

@rebron rebron commented Sep 17, 2019

cc: @Brave-Matt Do you see any more reports on this, being flagged/blocked by Windows Ransomware? I'd think we'd see more reports.

@rebron rebron added this to Untriaged Backlog in General Sep 19, 2019
@Midnex
Copy link
Author

@Midnex Midnex commented Sep 20, 2019

I can't imagine you would see too many more, as Ransomware Protection isn't super popular or on by default. Then pairing it with the inability of windows to say who the vendor of a piece of software belongs too. All they get is setup.exe with no further info. Digging deeper into things was the only reason I found it.

@rebron

@rebron rebron moved this from Untriaged Backlog to Needs Info/Waiting Upstream in General Sep 24, 2019
@rebron rebron moved this from Needs Info/Waiting Upstream to P5 Backlog in General Sep 24, 2019
@mkarolin
Copy link
Contributor

@mkarolin mkarolin commented Sep 24, 2019

Not sure what specifically causes Windows Defender to identify the exe as ransomware, but getting an EV signing cert may help with Windows Defender in general (https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/)

@Midnex
Copy link
Author

@Midnex Midnex commented Sep 25, 2019

Windows Defender is not identifying it as ransomware. It is blocking access to it, as it is trying to access folders it does not have privileges to access. In this case %common_desktop%, from application setup.exe. As it is a controlled folder

What Ransomware Protection does when enabled is locked down key location, where users store their files. Such as The Desktop, My Documents, and other key areas. It also protections certain memory addresses and system files. Thus ransomware cannot encrypt your data without you giving it access by selecting Allow on device.

Since Brave's updater is named setup.exe, Accessing %common_desktop% it is blocking it by default as intended by default settings. Every time the application changes, it will alert the user it has been blocked and they can allow access if they trust it.

And again since it named setup.exe, little to no one will accept it blindly.

Thus resolution is to change the setup.exe to BraveSetup.exe or similar to be identified by the user when it triggers an alert from Ransomware Protection.

It would be an extremely easy fix.

@mbacchi mbacchi added this to Untriaged Backlog in User Requests / Install Improvements via automation Apr 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
General
  
P5 Backlog
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.