Trojan Horse in Updater.exe?

[damiandib]

It might be a fluke from Windows Defender but it claims it detected a Trojan Horse in the Updater.exe, and I saw the Updater.exe was just updated so it seemed like an odd coincidence I'll be happy to provide more information if needed

[f8lxninja]

Just experienced this as well.

[Rem0o]

Updated the app manifest to explicitly use the same invocation privilege as the app starting it, aka FanControl.exe. Some user reported access denied exceptions.

It's a .NET exe, feel free to decompile it, nothing to hide.

[damiandib]

@Rem0o I am sorry if this seemed like an attack, that's not what I am trying to achieve here at all! I am just trying to make you aware of this issue I have. I am not trying to say that you put a Trojan Horse there on purpose or at all...

[KingM00se]

Yeah, just had the exact same warning come up after attempting to install todays update. Hmm...

[arjenkrap]

A makeshift alternative to Updater.exe using git. (You do need to have git and 7zip installed.)

First clone the FanControl.Releases repo:

git.exe clone https://github.com/Rem0o/FanControl.Releases.git

Add a file update.bat

@echo off
taskkill.exe /f /im FanControl.exe
git.exe pull
7z.exe x -aoa FanControl.zip
start FanControl.exe

Add a file .gitignore (optional)

*.dll
CACHE
FanControl.exe
FanControl.exe.config
FanControl.sys
userConfig.json

Now run update.bat (as an elevated user) to update:

SUCCESS: The process "FanControl.exe" with PID 6656 has been terminated.
Already up to date.

7-Zip 21.07 (x64) : Copyright (c) 1999-2021 Igor Pavlov : 2021-12-26

Scanning the drive for archives:
1 file, 4952378 bytes (4837 KiB)

Extracting archive: FanControl.zip
--
Path = FanControl.zip
Type = zip
Physical Size = 4952378

Everything is Ok

Files: 23
Size:       15100846
Compressed: 4952378

Optionally commit update.bat (or add it to .gitignore):

git.exe add update.bat
git.exe commit - "Added update.bat"

[cyounkins]

Here's virustotal for Updater.exe: https://www.virustotal.com/gui/file/52db36eac73eac1c220ca1ec29f674ac822e2a30839e2a540f6b6ecb1a49a431/detection

It shows that the Updater is pulling FanControl.zip through a bit.ly redirect link. Can you explain why that is done?

[BinaryAssault]

Here's virustotal for Updater.exe: https://www.virustotal.com/gui/file/52db36eac73eac1c220ca1ec29f674ac822e2a30839e2a540f6b6ecb1a49a431/detection

It shows that the Updater is pulling FanControl.zip through a bit.ly redirect link. Can you explain why that is done?

Not advocating for the dev here, but that bit.ly points back to github. Not sure why it's done that way here. You can preview a bit.ly link by adding a '+' to the end so bit.ly/abcd would be bit.ly/abcd+ doing so will tell you the full file path via bit.ly itself without visiting the page (source)

That link in particular in virus total reports: https://raw.githubusercontent.com/Rem0o/FanControl.Releases/master/FanControl.zip

[Rem0o]

@cyounkins I used the bitly link as a simple updater/download counter. Had this in for well over a year.

[Rem0o]

To be honest, everytime I make a change to that exe, it triggers an anti-virus software somewhere and I have to do a new submission for false-positive. I might change it to a cmd script or something to never have to deal with these AV freaking out everytime.

[Rem0o]

Reverted back to the previous updater for now before I find a better solution going forwards.

[BinaryAssault]

To be honest, everytime I make a change to that exe, it triggers an anti-virus software somewhere and I have to do a new submission for false-positive. I might change it to a cmd script or something to never have to deal with these AV freaking out everytime.

I decompiled the exe and there isn't anything malicious I can see in there.

Have you tried signing the code?

[Rem0o]

@BinaryAssault Wanted to avoid dealing with that, but I guess we're at that point. Won't a need a paid certificate from a third-party though?

[cyounkins]

After searching more, I am inclined to believe this is a false positive. Github has 255 issues open with "Wacatac.B!ml" including gems such as compiling "hello world" in rust (https://github.com/rust-lang/rust/issues/88297) and Google's Project Zero tools (https://github.com/googleprojectzero/sandbox-attacksurface-analysis-tools/issues/54).

Binary signing may help, not sure. Others report that twiddling the linker flags changes detection.

[ghost]

@BinaryAssault Wanted to avoid dealing with that, but I guess we're at that point. Won't a need a paid certificate from a third-party though?

Sadly yes, while you can use self issued certificate Windows won't treat it as trusted when deployed and then you get other issues, at the very least a popup saying the developer is not known, at worst it will just block the application from running - depends on end users system config.

[WantStuff]

I just got the same "Trojan" quarantine with the latest update, v137

[damiandib]

I had this myself again today as well

[Revivedx]

Just had this message 3 minutes ago.

[Rem0o]

Submitted for review already. Waiting on the whitelisting.

[Globespy]

Good, then I should tell Windows that it doesn't need to quarantine 'updater.exe'. Hope you get it figured out soon, I'm sure everyone here is just making you aware of this false positive, which is better than panicking, uninstalling and not saying a thing. Your program is the best fan control app I have ever used, I avoid using everything else - especially love the 'Mix' feature, haven't seen that before in other programs. Keep up the great work Reme!

[TheEngineerGuy]

Trojan Warning is back! A year later...

[caliwator]

Yep, got the same warning today.

[GiDevEon]

MeToo

[AdamAnon]

Hi, yes same here. tried to update FanControl and got a warning from Windows Security about a Trojan Win32/Wacatac.B!ml. So was it ever whitelisted? Thanks!

[jaxteri]

I just got it as well, I added an exception in Defender but the update seems to have failed and FanControl does not start at all anymore...

[Killrockstar]

Also just got it

[Dex1975]

On clicking update, endless "Downloading Updater". click cancel and I get the screen.

[AdamAnon]

I just got it as well, I added an exception in Defender but the update seems to have failed and FanControl does not start at all anymore...

So I've downloaded the new version 174 manually and copied the \Configurations directory from the old folder and it works.

[SeeUnsharp]

I get the same.

[joseseat]

Me too. Is this something to be concerned about or just an error?? I have quarantined the Updater.exe...

[ash-j-f]

Just another report, fwiw! Trying to go from 173 to 174 Thanks for the hard work

[Skripeezy]

I saw what people said, but I let it through my firewall anyway. But if that trojan is positive, it can mess up a pc big time. It will make copies of every file until the system freezes for good

[Skripeezy]

I saw what people said, but I let it through my firewall anyway. But if that trojan is positive, it can mess up a pc big time. It will make copies of every file until the system freezes for good

thank you for being an active developer with the best fan control and most reliable out there homie!!!!!

[Rem0o]

New updater, same problem.

Duplicate of https://github.com/Rem0o/FanControl.Releases/issues/2135