Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows Defender thinks paket 5.151.3 is a trojan #3121

Closed
tabro opened this Issue Mar 15, 2018 · 17 comments

Comments

Projects
None yet
8 participants
@tabro
Copy link

tabro commented Mar 15, 2018

Description

I started having issues fetching paket.exe through paket.bootstrapper.exe.
When the bootstrapper tries to fetch paket.exe, windows defender removes the file, and claims that the file contains the trojan "Win32/Critet.BS".

image

Repro steps

Please provide the steps required to reproduce the problem

  1. Step A
    Run bootstrapper on a machine with Windows Defender.

If possible then please create a git repository with a repro sample or attach a zip to the issue.

Expected behavior

No virus alert - paket.exe is downloaded.

Actual behavior

Virus alert - paket.exe is deleted

Known workarounds

Run paket.bootstrapper.exe 5.151.2

@eiriktsarpalis

This comment has been minimized.

Copy link
Member

eiriktsarpalis commented Mar 15, 2018

Got exactly the same behaviour just now.

@TheAngryByrd

This comment has been minimized.

Copy link
Contributor

TheAngryByrd commented Mar 15, 2018

Other people have started seeing this issue: https://forum.kerbalspaceprogram.com/index.php?/topic/172357-trojanwin32critetbs/

Probably need to contact the vendor and tell them it's a false positive. They're probably using some strings search or a yara rule to match on some bytes that some malware uses but clearly it's too broad of a match.

@theimowski

This comment has been minimized.

Copy link
Member

theimowski commented Mar 15, 2018

Same happened here

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

so the "fun" thing is: even I can't download it. I mean that file was created on my machine and defender didn't complain. Now it's complaing on the download.

Anyway: I uploaded the latest alpha to virustotal and they say it's clean
https://www.virustotal.com/de/file/261d82cfe4a7b4f2fbc800f298fa8caf310031a548e146dedb8ee9e2643ff126/analysis/

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

can someone please test with latest alpha? is that one flagged as well?

@eiriktsarpalis

This comment has been minimized.

Copy link
Member

eiriktsarpalis commented Mar 15, 2018

@forki confirming that latest alpha has no issues for me

@piotrg18

This comment has been minimized.

Copy link

piotrg18 commented Mar 15, 2018

same for me latest alpha works fine

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

wtf!?

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

I will now push a zero diff release on top of 5.151.3 because the alpha is not ready. hopefully that's enough

@richardjharding

This comment has been minimized.

Copy link

richardjharding commented Mar 15, 2018

I downloaded 5.152.0-alpha002 paket.exe and copied in place - windows was happy with that - before I was seeing the error above from defender

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

ok 5.151.4 is released. can someone please check?

@eiriktsarpalis

This comment has been minimized.

Copy link
Member

eiriktsarpalis commented Mar 15, 2018

Works 👍

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 15, 2018

lol. So if I'd ever develop a real virus, then all I need to do is adding a comment somewhere to change the hash of the exe!? WTF!

@forki forki closed this Mar 15, 2018

@matthid

This comment has been minimized.

Copy link
Member

matthid commented Mar 15, 2018

maybe we just had a hash conflict :)

@forki

This comment has been minimized.

Copy link
Member

forki commented Mar 16, 2018

If someone knows someone from defender team - it would be nice if they coulde look into this.

@TheAngryByrd

This comment has been minimized.

Copy link
Contributor

TheAngryByrd commented Mar 16, 2018

Had some contacts get in touch. This was their response.

found the signature author, will let you know.
PS you don't need to know somebody https://www.microsoft.com/en-us/wdsi/filesubmission
those are monitored 24/7
should be good now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.