Windows Defender identifying Avalonia as Trojan (Again)

AvaloniaUI / Avalonia

Develop Desktop, Embedded, Mobile and WebAssembly apps with C# and XAML. The most popular .NET UI client technology

https://avaloniaui.net

MIT License

25.98k stars 2.25k forks source link

Windows Defender identifying Avalonia as Trojan (Again) #6009

Open thiago-tota opened 3 years ago

thiago-tota commented 3 years ago

Trying to run the application and got the following exception:

System.IO.FileLoadException: 'Could not load file or assembly 'Avalonia.Themes.Fluent, Version=0.10.5.0, Culture=neutral, PublicKeyToken=c8d484a7012f9a8b'. Operation did not complete successfully because the file contains a virus or potentially unwanted software. (0x800700E1)'

Screenshots If applicable, add screenshots to help explain your problem.

OS: Windows 10 Pro
Version: 21H1
OS build: 19043.1023

HendrikMennen commented 3 years ago

Fluent theme and DataGrid seems to be affected. Worst part is that this also marks published apps as trojans. For example https://vhdplus.com/docs/getstarted#install-vhdplus-ide is unusable on windows right now

habibg1232191 commented 3 years ago

When will it correct?

robloo commented 3 years ago

Do we know the Avalonia dll's haven't had code injected? It can happen if the nuget package build computer is compromised.

kekekeks commented 3 years ago

We are building on Azure Pipelines. I suspect that some trojan app is using Avalonia, so we are getting marked as a virus as well.

bcssov commented 3 years ago

We are building on Azure Pipelines. I suspect that some trojan app is using Avalonia, so we are getting marked as a virus as well.

If it were so one would expect that more AVs would flag Avalonia for example as soon as you cleared other DLLs Avalonia.Dialogs got flagged at least according to the latest definitions (virustotal results). Also tested on my computer (with latest definitions) and this paritcular DLL is being flagged now.

kekekeks commented 3 years ago

I've compared Avalonia.Dialogs.dll from nuget to one built on my machine and they are of the same size and are mostly identical except some small 1-20 byte long chunks and some entry in RSDS segment which seems to be a PDB.

ilspycmd produces identical output for both assemblies.

So I don't believe that any code was injected during the build.

piksel commented 3 years ago

The hash in @bcssov's screenshot is not flagged anymore at least... https://www.virustotal.com/gui/file/1ddd21b514e84b385ff32143db3e11dfb01e13a3f8f3b1d6cffeee98e091a6bb/detection

Neither is Avalonia.Themes.Fluent.dll (from Avalonia v0.10.5): https://www.virustotal.com/gui/file/c50bf9e568710c8429f516833ca7fddce08014c972b8bdd96de52f2128872b73/detection or Avalonia.Controls.DataGrid.dll (from Avalonia.Controls.Datagrid v0.10.5): https://www.virustotal.com/gui/file/a23bfd44cd5addaf9f2ee3453f0b5515e459f79436e16cf2b16bdf298c234de3/detection