Trojan:Win32/Zpevdo.B #233
Comments
|
Hi, Thanks for your report. Yes, I also saw that a few days ago, a Windows update of Windows Defender decided that FreeRDP is a threat. This is a false positive of course, but it breaks Myrtille by quarantining the FreeRDP executable. The next entry you will have in This is what I posted a fews ago on the Myrtille group (I should had created an issue here after that):
This happened on a Windows Server 2016. On which OS did you had this problem ? |
|
Hello, i Anyway is it possible to take screen shot from remote desktop with pure php via curl or some manipulation with sockets? Best regards |
|
It must be due to a recent Windows update (less than 10 days), which in turn updated the Windows Defender threats database. That's why this issue didn't happened before. It might be due to the fact the FreeRDP executable is not signed (same issue here: stride3d/stride#285 or here). I will see to do that, along with the other myrtille binaries (including the installer). Meanwhile, false positives can be reported to Microsoft here: https://www.microsoft.com/en-us/wdsi/filesubmission To reply to your last question, it would be difficult taking screenshots with php, moreover in virtualized sessions, and with a huge loss of performance if even possible. |
|
I verified this happen since Windows Defender 1.325.805.0 (latest: https://www.microsoft.com/en-us/wdsi/defenderupdates). As a side note, Windows Defender can be configured to prompt the user for action instead of quarantining files silently... |
|
I reported the false detection to Microsoft which reacted quite switfly. It should be fine now: |
I assume you mean https://www.microsoft.com/en-us/wdsi/filesubmission, right? |
|
Yes (wrong link copy&paste) |
|
Turns out it doesn't actually get detected anymore - I guess whatever fixed it for your project also fixed it for mine. Thanks for taking care of it! |
|
Hi! Today I tried to install Myrtille 2.9.0.
|
|
Hi @AceMoneus thanks for your input. MSI files aren't executable files, they are a database containing compressed data for After installation, the Myrtille binaries (exe and dlls) aren't detected by any AV (except wfreerdp.exe, as a false positive). The Myrtille 2.8.1 MSI (and the versions before) wasn't detected by any AV. Nothing changed in 2.9.0 except the false positive detection of wfreerdp; so I guess it must have come from that. As explained, FreeRDP does many things low level, a recent feature might have triggered this detection (for example usbredirect, recently added to FreeRDP). I will continue to investigate. I already checked my build machine and it's clean (I guess the other executables would have been infected otherwise, which is not the case). |
|
By the way, did you updated Windows Defender (via Windows Updates) to latest definition? (>= 1.325.945.0) |
|
Ah, ok. I was thinking of msi:s as a sort of kompressed folders. Like most antivirus agents do open zip-files and examine the content. |
|
Closing now. I will sign the Myrtille executables (including the FreeRDP fork) into a next version and re-check then. |
Affected items:
file: C:\Program Files (x86)\Myrtille\bin\wfreerdp.exe
2020-10-16 07:52:12,065 [4] INFO System.Diagnostics redirection [(null)] - Connecting remote session *, type RDP, security AUTO, server (:port) *, vm (none), domain (none), user , program (none)
2020-10-16 07:52:12,518 [4] ERROR System.Diagnostics redirection [(null)] - Failed to start the host client process, remote session * (System.ComponentModel.Win32Exception (0x80004005): Operation did not complete successfully because the file contains a virus or potentially unwanted software
at System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo)
at Myrtille.Services.RemoteSessionProcess.StartProcess(Guid remoteSessionId, HostType hostType, SecurityProtocol securityProtocol, String serverAddress, String vmGuid, String userDomain, String userName, String startProgram, Int32 clientWidth, Int32 clientHeight, Boolean allowRemoteClipboard, Boolean allowPrintDownload, Boolean allowAudioPlayback))
The text was updated successfully, but these errors were encountered: