Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Defender: Virus detected in release download 1.7.2 #252

Closed
Spafbi opened this issue Apr 11, 2020 · 6 comments
Closed

Windows Defender: Virus detected in release download 1.7.2 #252

Spafbi opened this issue Apr 11, 2020 · 6 comments

Comments

@Spafbi
Copy link

Spafbi commented Apr 11, 2020

image

No virus is detected in the 1.7.1 release. This may be a false positive, but multiple downloads, using browsers or chocolately, both result in the downloaded resource being detected as having a trojan.
@ale5000-git
Copy link
Contributor

ale5000-git commented Apr 11, 2020
edited

Detected only by 14/63: https://www.virustotal.com/gui/file/9c48cd30330dbe603108449bac9ab9d192d52326583c27eb1c47071c0ba7dd65/detection

@ale5000-git
Copy link
Contributor

Additionally the virus is only detected in the x86 version of mkbtrfs.exe.

@maharmstone
Copy link
Owner

Not this again... virus checkers love to pick on this file, for some reason.

This is a false positive - the only thing that changed in mkbtrfs.exe between 1.7.1 and 1.7.2 was the version number:

$ objdump -M intel -d 1.7.1/Release/x86/mkbtrfs.exe > 171.txt
$ objdump -M intel -d 1.7.2/Release/x86/mkbtrfs.exe > 172.txt
$ diff -u 171.txt 172.txt
--- 171.txt     2020-04-11 20:44:56.836554594 +0100
+++ 172.txt     2020-04-11 20:45:02.402594144 +0100
@@ -1,5 +1,5 @@
 
-1.7.1/Release/x86/mkbtrfs.exe:     file format pei-i386
+1.7.2/Release/x86/mkbtrfs.exe:     file format pei-i386
 
 
 Disassembly of section .text:

@Spafbi, could this be a false positive that they've since fixed? I've checked using Windows Defender on my clean 1909 VM, and it didn't find anything.

@maharmstone
Copy link
Owner

There's a thread at pyinstaller/pyinstaller#4633, where the developers of another piece of open-source software are venting their frustrations at the same false positive.

I'm going to close this as there's nothing I can do. @Spafbi, you can log it as an issue with Microsoft if you like, but good luck with that. My advice would be to disable Windows Defender and use a better anti-virus tool - ClamAV's never steered me wrong, if you're looking for one.

@ale5000-git
Copy link
Contributor

Here in the behaviour detection it detect C:\Windows\system32\cmd.exe, is it possible that this help false positives?

@maharmstone maharmstone mentioned this issue Apr 19, 2020
Closed
@h-vetinari
Copy link

h-vetinari commented Apr 19, 2020
edited

Sorry for not having seen this.

@maharmstone: This is a false positive - the only thing that changed in mkbtrfs.exe between 1.7.1 and 1.7.2 was the version number:

For me, the same warning appears upon unpacking 1.7.1 and 1.7.0 as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@maharmstone @Spafbi @ale5000-git @h-vetinari