Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Portable zip flagged as malicious #927

Open
robgazy opened this issue Dec 7, 2024 · 8 comments
Open

Portable zip flagged as malicious #927

robgazy opened this issue Dec 7, 2024 · 8 comments

Comments

@robgazy
Copy link

robgazy commented Dec 7, 2024

UltraStarDeluxe-portable-2024.10.0.zip flagged as malicious

7/68 security vendors flagged this file as malicious
712f5cd4d60004c7702107b4e2d35febc503c5c579cf9c5f33993f84793672fd
UltraStarDeluxe-portable-2024.10.0.zip

image

@LeighBicknell
Copy link

The installer too
image

@s09bQ5
Copy link
Collaborator

s09bQ5 commented Dec 8, 2024

@robgazy
Copy link
Author

robgazy commented Dec 8, 2024

Windows Security blocks the file and will not install or extract.

Threat Blocked: Severe
Detected: Trojan:Script/Wacatac.B!ml
Status: Quarantined
Quarantined files are in a restricted area where they can't harm your device. They will be removed automatically.
Details: This program is dangerous and executes commands from an attacker.
Affected items: file: C:\Users\xyza\Downloads\UltraStarDeluxe-portable-2024.10.0.zip

@s09bQ5
Copy link
Collaborator

s09bQ5 commented Dec 8, 2024

Please submit the file at https://www.microsoft.com/en-us/wdsi/filesubmission for malware analysis. I can't. I don't have a Microsoft account.

@basisbit
Copy link
Member

basisbit commented Dec 9, 2024

Duplicate of #722 and #368 . It is super annoying, that big antimalware development companies don't test their stuff properly to avoid false detections of small software projects. This is a common problem that many small projects have to deal with when using installer tools like NSIS and similar, just because sometimes malware developers choose to also use the same installer tools.

@basisbit
Copy link
Member

basisbit commented Dec 9, 2024

Please submit the file at https://www.microsoft.com/en-us/wdsi/filesubmission for malware analysis. I can't. I don't have a Microsoft account.

Done, and already got a response from a manual analyst:

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"
    Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

So, hopefully in the next few days when people's computers update, it shouldn't falsely detect usdx installer or portable zip any more.

@barbeque-squared
Copy link
Member

Thanks basisbit! I'll probably leave this ticket open until I can work the info in this ticket into the readme/wiki, as it appears to be a recurring issue. Maybe even figure out how to use the github issue templates.

Slightly off-topic / note to self: do any of these scanning services have some kind of API so that we can work at least the portable into the CI? Should be allowed to fail / pass with warnings (at least to start with) but some kind of scanning is still better than no scanning at all.

@cskinner74
Copy link

Two weeks later and still being flagged, even after performing the above update steps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

6 participants