New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

optipng.exe detected as malware by Windows Defender #541

Closed
jcgillespie opened this Issue Jan 20, 2014 · 23 comments

Comments

Projects
None yet
@jcgillespie

jcgillespie commented Jan 20, 2014

Windows Defender has detected the bundled optipng.exe as malware in the last two updates. This happened to me for version 1.7.1 and 1.7.2.

It is detecting it as a password stealer: PWS:Win32/Lineage.gen!C.dam

This was detected by real-time protection during the update process. Virus/Spyware definitions were both at 1.165.2277.0 at the time of the second detection.

Here's a screenshot of windows defender
windefend

and another of the folder to show that the crazily named folder, 03lucxn4.fjq, really is Web Essentials.

folder

definitions

Let me know if there is any additional information I can supply.

@SLaks

This comment has been minimized.

Collaborator

SLaks commented Jan 20, 2014

Can you upload it to VirusTotal and see how many virus scanners detect it?

@jcgillespie

This comment has been minimized.

jcgillespie commented Jan 20, 2014

1 of 49 detects it as possible worm, but "Microsoft" wasn't one of them.
link to results

@SLaks

This comment has been minimized.

Collaborator

SLaks commented Jan 20, 2014

I ran a custom scan on the folder containing that file (downloaded directly from GitHub) using Windows Defender included with Windows 8.1 and it was clean.
I wonder if you have a virus elsewhere that is infecting the file?
Can you check the hash of the actual file that was quarantined?

@jcgillespie

This comment has been minimized.

jcgillespie commented Jan 20, 2014

I ran an on-demand custom scan of that folder with both Win Defender and Malwarebytes Anti-Malware and neither found anything. SHA256 Checksum of the file matches what virus total said it should be...

But I'm also able to reproduce the warning by uninstalling WebEssentials and re-installing it. Something about the install/update is making Win Defender real-time protection unhappy.
reinstalled

@SLaks

This comment has been minimized.

Collaborator

SLaks commented Jan 20, 2014

From the error in the screenshot, it sounds like Defender is having trouble scanning the file in the first place.
I wonder is this is a bug in WinDefender caused if the file is deleted or moved while it's being scanned...

@jcgillespie

This comment has been minimized.

jcgillespie commented Jan 20, 2014

That makes sense, though it seems odd that it would identify a specific
malware if it wasn't done scanning.

Are you able to re-create it with Visual Studio?

On Mon, Jan 20, 2014 at 12:58 PM, SLaks notifications@github.com wrote:

From the error in the screenshot, it sounds like Defender is having
trouble scanning the file in the first place.
I wonder is this is a bug in WinDefender caused if the file is deleted or
moved while it's being scanned...


Reply to this email directly or view it on GitHubhttps://github.com//issues/541#issuecomment-32786860
.

@ctolkien

This comment has been minimized.

ctolkien commented Jan 20, 2014

For what it's worth, we're not having issues with Defender and WE here.

@alexdresko

This comment has been minimized.

alexdresko commented Jan 22, 2014

My VS is hanging randomly today after installing the latest WE. Installing VS2013 update 1 to see if that helps.

@SLaks

This comment has been minimized.

Collaborator

SLaks commented Jan 22, 2014

Can you attach a debugger and see where it's hanging?

@alexdresko

This comment has been minimized.

alexdresko commented Jan 22, 2014

I can try. Sysinternals' Process Explorer wasn't very useful in figuring out the culprit, I can tell you that.

@SLaks

This comment has been minimized.

Collaborator

SLaks commented Jan 22, 2014

The VS debugger should give you the full managed stack, which should be much more useful.

@teelahti

This comment has been minimized.

teelahti commented Feb 3, 2014

This just happened to me when upgrading to Web Essentials 1.8. Identical malware name. Most likely a Windows Defender false positive on OptiPNG.

@JohnnyWalkerDesign

This comment has been minimized.

JohnnyWalkerDesign commented Mar 7, 2014

Same issue today.

@zenzora

This comment has been minimized.

zenzora commented Mar 9, 2014

same here

@ChadLevy

This comment has been minimized.

ChadLevy commented May 19, 2014

Just ran into this myself. First time installing the nightly update (2.1 to 2.1.1). Needless to say heart missed a few beats.

Only 2 scans of 53 on Virustotal came back positive:

Submitted this as a false positive to Microsoft as well.

virus

@schellack

This comment has been minimized.

schellack commented Aug 7, 2014

I encountered the same issue today when trying to install WebEssentials 2013 for Update 2

@jasonkcarter

This comment has been minimized.

jasonkcarter commented Nov 12, 2014

I encountered the same issue today when installing WebEssentials for VS 2013 update 4

@rmegal

This comment has been minimized.

rmegal commented Nov 12, 2014

I encountered the same issue today when installing WebEssentials for VS2013 Update 4:

Log Name:      Microsoft-Windows-Windows Defender/Operational
Source:        Microsoft-Windows-Windows Defender
Date:          11/12/2014 2:54:12 PM
Event ID:      1116
Task Category: None
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      RADAR
Description:
Windows Defender has detected malware or other potentially unwanted software.
 For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Lineage.gen!C.dam&threatid=2147583492
    Name: PWS:Win32/Lineage.gen!C.dam
    ID: 2147583492
    Severity: Severe
    Category: Password Stealer
    Path: file:_C:\Users\Ray\AppData\Local\Microsoft\VisualStudio\12.0\Extensions\ernwxrzj.hff\Resources\Tools\optipng.exe
    Detection Origin: Local machine
    Detection Type: Concrete
    Detection Source: Real-Time Protection
    User: NT AUTHORITY\SYSTEM
    Process Name: C:\Program Files\CrashPlan\CrashPlanService.exe
    Signature Version: AV: 1.187.1988.0, AS: 1.187.1988.0, NIS: 113.24.0.0
    Engine Version: AM: 1.1.11104.0, NIS: 2.1.11005.0
@pennstatephil

This comment has been minimized.

pennstatephil commented Nov 21, 2014

+1, same as @rmegal. Company IT support is not pleased.

@robbihun

This comment has been minimized.

robbihun commented Nov 22, 2014

Same thing here when installing update 4 a few minutes ago... Corporate immediately locked my account, fun times...

@datanotion

This comment has been minimized.

datanotion commented Jan 27, 2015

Bah - this just happened to me again with the 2.5.3.1 WE build and the System Center Endpoint Protection 1.191.3403.0 virus definition db. Bummer!

@noamkfir

This comment has been minimized.

noamkfir commented Jan 31, 2015

This just happened to me while updating WE for VS 2015 to 0.2.26.

The bug should be reopened as it does not seem to have been resolved.

@csharpengineer

This comment has been minimized.

csharpengineer commented Apr 9, 2015

As of today, this is still being found in Forefront Endpoint Protection 2010 (and probably Windows Defender).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment