Mercury triggers windows defender (not just smartscreen)

[L3-NR]

30 seconds after installation, windows defender deleted the .exe without user input, flagging it as a "severe" level threat. I believe that it's not malware, but i'd rather not turn defender off.

[Tachyon711]

Good day! I also encounter the same instance for version 115.3.0. Thank you!

[Alex313031]

@L3-NR @Tachyon711 It didn't for me when I tried it.

[GGoose]

Same happened to me but 24 hours after installation.

[GGoose]

https://www.virustotal.com/gui/file/92e97eaea495e48e58fefee7eb54c907eba55a819a61365af7f9193b25b41038/detection

115.4.0 Installer file

[Alex313031]

@GGoose I tried following a guide to sign the .exe to help prevent this from happening, but I need a CA from microsoft to do it properly (otherwise im just using a self-signed CA, and unless you have that CA installed on your system, it wont work), and that costs alot of money. So IDK I guess people will just have to "trust me bro" that these aren't malicious, or compile them yourself.

[kenny-kvibe]

https://www.virustotal.com/gui/file/92e97eaea495e48e58fefee7eb54c907eba55a819a61365af7f9193b25b41038/detection

115.4.0 Installer file

And here's the Firefox Installer: https://www.virustotal.com/gui/file/d3663d704d94b4764b23f641463d9f1277f46b2713b0eabc0f5ea21923552840/detection

I installed it via the .zip and have it open now for more than 40minutes, WinDefender still sees nothing, & I didn't try the .exe installer

[Alex313031]

@kenny-kvibe FUCK I thought I had this resolved. At this point in must be related to not signing the .exe since that costs alot of money. I have got to fix this! It is NOT malicious at all, you can compile it yourself and compare the binaries and see that they are the same.

[lalishansh]

WoW, i'll compile it myself, Awesome project man 👍🏼

[kenny-kvibe]

@Alex313031 no worries, I know it's not malware, some people don't update MS Defender's local database so perhaps that's why it displays mercury as a virus to them.

I suggest you create a document with your virus scan results and attach your project as proof and send this document to those 2 vendors that flagged it and to MS Security Team (https://info.microsoft.com/ww-landing-security-generic-contact-me.html) to make them do a scan their selves and flag it appropriately, I mean try a free route before spending your money, it could pay off.

The vendors that flagged it on VirusTotal are SecureAge and Trapmine, and if you check https://trapmine.com/ you can see that they've "concluded its operations" and secureage seem like a small firm, so their database is lagging behind I presume (small team = less work done), because if they really deep-scanned your file they would flag it appropriatelly, but as for now they just have a sigma rule or something that tracks certain patterns in the binary file, certain byte sequences, and when it finds these patterns it marks it under its falling category, even if it's a legit program from Microsoft, this can still happen at vendors who are lagging behind, and there'll always be some that lag behind.

To resolve this, vendors usually flag trusted programs virus detections as false-positive and then it passes as clean, although the program was unchanged, that's how the other vendors flagged it as "OK" (because they have the latest false-positives of firefox).

This is just a signing certificate problem, which if "verified cert" is present it is a sign that it's a non-malicious program (for the vendor and a vendor-trusting user), so I presume the security vendors trust that program more by doing less detailed scans - ignoring some patterns based on the cert, or something like that I imagine.

There are always problems with certs even legit ones, but it's not the only solution here because it's a legit firefox rebuild, so it must pass, if you do nothing about it it will pass some day (when they stop lagging and when everyone updates their local db at home), but if you contact them you could speed the process a lot more and keep it self-signed, or buy the cert for an even faster way but DAMN it's a big price for some user-useless bytes that don't even execute in the program.

Also letting you know, when you sign a program with a cert the bytes change because you're essentially adding a few new bytes into your binary header

Been using it for some hours now and it's just awesome.

[lore-sun]

Hey mate!

I literally created a Github account just to post this comment because it has really concerned me.

I've been using Thorium and it's brilliant. I wanted to try something on a Firefox fork so I downloaded this (Mercury) and windows (10) immediately deleted the file... So I downloaded it again, at which point no joke it instantly deleted the file, crashed and UNINSTALLED Thorium browser entirely from my system, then when I restarted it told me Windows is initialising updates, and upon rebooting my network drivers were dysfunctional.

This is highly concerning no? I have literally never had any such thing happen before in 10 years and am worried my system is infected in some way. Wat do?

[GGoose]

@lore-sun All you have to do for the time being is allow the Mercury.exe to run on your OS through Windows Defender or whatever Antivirus you use. Alex says it isn’t malicious and as far as I know, no one is complaining about serious issues that you would normally find from real viruses. And regarding Thorium uninstalling from this issue I have no idea how that can happen from a different browser that isn’t even based off Chromium.

In the end it’s your choice whether you want to use this browser or not. Just know it’s relatively safe.

[lore-sun]

@GGoose Strange though right? Windows defender never even surfaced and my AV gave me no indication of engagement either.... and yet Thorium was wiped from my pc.... Don't get me wrong; I think Thorium is excellent and am not casting aspersions onto Alex, just was shocked by the turn of events and never experienced that. Also, my Thorium browser install has now bloated itself to 2.8G apparently, unfortunately I don't recall what it was before this but isn't that unusually high? A Betterfox install I just did as a test is at 400mb with all the same extensions etc.