Windows defender detects Trojan:Win32/CoinMiner.N!cl in @nomicfoundation/edr-win32-x64-msvc

[joticajulian]

Version of Hardhat

@nomicfoundation/edr-win32-x64-msvc-0.2.1

What happened?

Windows defender is detecting Trojan:Win32/CoinMiner.N!cl in this file C:\Users\XXX\AppData\Local\Yarn\Cache\v6\npm-@nomicfoundation-edr-win32-x64-msvc-0.2.1-7b56ff742b2724779cc9f3385815b394f76de8df-integrity\node_modules\@nomicfoundation\edr-win32-x64-msvc\edr.win32-x64-msvc.node

Minimal reproduction steps

This appeared after a normal malware check from Windows Defender.

Search terms

windows defender

[Wodann]

Would you be able to submit the edr.win32-x64-msvc.node for analysis through this url?

https://www.microsoft.com/en-us/wdsi/filesubmission

That way we can determine if it's a false negative.

[joticajulian]

ok, I already submitted the file. It is in progress.

[Wodann]

ok, I already submitted the file. It is in progress.

Thank you!

[joticajulian]

It was a false positive. This is the report from Microsoft:

Analyst comments:

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

[fvictorio]

Thanks for the update @joticajulian! We are going to check if we can start signing our EDR binaries to prevent this from happening again in the future.