Microsoft Defender for Mac flagging latest version (python-2020.3.69010) inject_dll_x86.exe as malware

[ftssa-sec]

Hello, in our environment yesterday around 9pm EST we received a high volume of alerts flagging the inject_dll_x86.exe file in this extension on a number of our Macs, this may be related to the latest update which I see was on 3/19. Windows Defender ATP is flagging this as malware, looking at previous tickets for older versions, this has been a false positive.

affected file paths:

flagged as: Gen:Trojan.Heur.RP.nyY@a0lLHJi
/.vscode/extensions/ms-python.python-2020.3.69010/pythonFiles/lib/python/debugpy/no_wheels/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_x86.exe/

flagged as: Gen:Trojan.Heur.RP.nyY@aKhVwOf
/vscode/extensions/ms-python.python-2020.3.69010/pythonFiles/lib/python/debugpy/wheels/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_x86.exe/

Environment data

• VS Code version: 1.43.0
• Extension version (available under the Extensions sidebar): 2020.3.69010
• OS and version: mac OS 10.14.6

[karthiknadig]

@ftssa-sec Can you check what the signature on that file says? It should be:

Can you also verify the sha1 hash for these files? they should be:

sha1
d164c8180b631e1842ae28182219551cd67924da	/.vscode/extensions/ms-python.python-2020.3.69010/pythonFiles/lib/python/debugpy/wheels/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_x86.exe
cb1e4727b61d35566e6a703380973b65d610b15e	/.vscode/extensions/ms-python.python-2020.3.69010/pythonFiles/lib/python/debugpy/no_wheels/debugpy/_vendored/pydevd/pydevd_attach_to_process/inject_dll_x86.exe

Note that this exe is used to inject debugger into an existing running process. It is signed so I am not sure why it is being flagged.

/cc @int19h @fabioz

[fabioz]

It's strange that the executable is flagged on Mac... @karthiknadig do you know if Macs check windows signatures or would we need yet another signature for Mac?

[ftssa-sec]

Yes it does appear to have the correct signature and hashes match as well.

[ftssa-sec]

It's strange that the executable is flagged on Mac... @karthiknadig do you know if Macs check windows signatures or would we need yet another signature for Mac?

One thing to note is that we have not seen any alerts from Windows machines yet, only Macs have been alerting.

[karthiknadig]

@fabioz @ftssa-sec Defender team is notified of this issue, and they are investigating it.

[karthiknadig]

Defender team believes this is issue with defender and they have deployed a fix.