evanerkan
commented
9 months ago Although VirusTotal undetected.
Closed evanerkan closed 8 months ago
evanerkan
commented
9 months ago Although VirusTotal undetected.
evanerkan
commented
9 months ago 
malcolm77
commented
9 months ago I also got this, Defender detected and deleted it. 1.27.1 seems OK though.
Syr0
commented
9 months ago Crowdstrike also flagged the installer https://www.virustotal.com/gui/file/6899dcdace56d06f5a14ff221c38a220b913f7a475a5ba9ed437cb513d28dec4/detection
Syr0
commented
9 months ago Although VirusTotal undetected.
It is detected.
Bill-Stewart
commented
9 months ago This is, of course, a false-positive detection. I have submitted it to Microsoft as such. Crowdstrike has no means for non-customers to submit false-positives, so someone that is a Crowdstrike customer will need to submit the installer as a false-positive.
aussiesasquatch
commented
9 months ago I have tried both 1.27.1 and 1.27.2 and each time it has come up with blocking from bitdefender no matter what I have tried, it says it is malicious encrypted command being run on powershell.
Bill-Stewart
commented
9 months ago The answer is the same: Submit the installer file to the vendor as a false-positive.
aussiesasquatch
commented
9 months ago Bitdefender won't allow files above 25mb in size, the exe file is just over that limit, am unable to submit to bitdefender as the file is required as part of the submission.
Bill-Stewart
commented
9 months ago Sorry, I'm not able to help with that as I don't work for BitDefender and I don't manage their web services. I would suggest whitelisting it or contacting the vendor. (This is a BitDefender issue, not a Syncthing Setup issue.)
aussiesasquatch
commented
9 months ago Already tried whitelisting both versions, didn't work, will contact Bitdefender directly.
aussiesasquatch
commented
9 months ago The false positive sample has been submitted to Bitdefender for analysis, will advise of updates.
gulbrain
commented
9 months ago It's possible the reworking the installer* has introduced this false positive. May I suggest (in a few weeks) updating the third-party tools used to build the installer and releasing a new version to see if the problem is resolved?
Bill-Stewart
commented
9 months ago Which third-party tools need updating?
gulbrain
commented
8 months ago "Go" I'm not saying it is the cause - just that updating "Go" (whenever there is an update) might resolve the problem.
Bill-Stewart
commented
8 months ago Go is the programming language used to compile the Syncthing executable, but is not otherwise a part of this project.
Bill-Stewart
commented
8 months ago FWIW: I am working on a command-line tool to replace startps.exe and the PowerShell scripts in the Syncthing Windows Setup installer due to the prevalence of security software paranoia regarding encoded PowerShell command lines. Hopefully this will help reduce the number of false-positives.
evanerkan
commented
8 months ago Thank you for your efforts and sorry for any hassles this all suddenly brought up. This now makes more sense to me. Here's to improvements in development and shared learning for all. Wish you and this fantastic project the best.
Bill-Stewart
commented
8 months ago The new tool is published - https://github.com/Bill-Stewart/asmt
The next version of Syncthing Windows Setup will use this tool instead of startps.exe and the PowerShell scripts.
Bill-Stewart
commented
8 months ago As I write this, looks like Windows Defender is not blocking the 1.27.2 installer.
evanerkan
commented
8 months ago thank you
Windows Defender detects Trojan:Win32/Wacatac.B!ml in syncthing-1.27.2-setup.exe?