search

Romanitho / Winget-AutoUpdate

WAU daily updates apps as system and notify connected users. (Allowlist and Blocklist support)
MIT License
1.18k stars 141 forks source link

[Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope #540

Closed nostromo1940 closed 7 months ago

nostromo1940 commented 10 months ago

The problem

When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705

What version of WAU has the issue?

1.19.2-1

What version of Windows are you using (ex. Windows 11 22H2)?

windows 11 23h"

What version of winget are you using?

v1.7.3481-preview

Log information

No response

Additional information

Detected:Trojan:Script/Wacatac.H!ml Status:Quarantine failed

Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705

AndrewDemski-ad-gmail-com commented 10 months ago

De ja vu?

From: nostromo1940 @.> Sent: 27 December 2023 07:51 To: Romanitho/Winget-AutoUpdate @.> Cc: Subscribed @.***> Subject: [Romanitho/Winget-AutoUpdate] [Bug]: dowloading of 1.19.2-1 failing Virus detected !! false positive I hope (Issue #540)

The problem

When downloading 1.19.2-1 fails with virus detected, Defender reports detecting Trojan:Script/Wacatac.H!ml Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705

What version of WAU has the issue?

1.19.2-1

What version of Windows are you using (ex. Windows 11 22H2)?

windows 11 23h"

What version of winget are you using?

v1.7.3481-preview

Log information

No response

Additional information

Detected:Trojan:Script/Wacatac.H!ml Status:Quarantine failed

Affected items: containerfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip file: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip->Winget-AutoUpdate-main/Sources/WAU Configurator.lnk webfile: C:\Users\NWH1GF\Downloads\Winget-AutoUpdate-main (1).zip|https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main|pid:17136,ProcessStart:133481319344442705https://codeload.github.com/Romanitho/Winget-AutoUpdate/zip/refs/heads/main%7Cpid:17136,ProcessStart:133481319344442705

— Reply to this email directly, view it on GitHubhttps://github.com/Romanitho/Winget-AutoUpdate/issues/540, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ASAJCPVBAQ3Y7IJKIOKDY53YLPANLAVCNFSM6AAAAABBEAGX6KVHI2DSMVQWIX3LMV43ASLTON2WKOZSGA2TMOJYGY3TMMI. You are receiving this because you are subscribed to this thread.Message ID: @.***>

taffit commented 10 months ago

Same here. At VirusTotal, Fortinet marked it as malicious, Arcsight as suspicious. The Microsoft Defender blocks it completely, with the link marked as malicious.
This came in with the last build! For the previous release, everything is ok. I would treat this as malicious until further notice. The link previously looked completly different. This is what the Defender reports (can't download the file to verify):

webfile: C:\~tmp\WAU-Configurator.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/448617645/e7710ebc-d105-4d9d-9723-5186d3ebf3fa?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20231228%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20231228T155814Z&X-Amz-Expires=300&X-Amz-Signature=2d4c54f3fe7fa7d8a904802b3394447d24cfff0e1ce2a9743664e97082ad97f1&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=448617645&response-content-disposition=attachment%3B%20filename%3DWAU-Configurator.zip&response-content-type=application%2Foctet-stream|pid:5936,ProcessStart:133482532884740429
leberschnitzel commented 10 months ago

it seems to be only the file "WAU Configurator.lnk" inside the archive is "infected". The shortcut does the following: %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; ".\WAU\Gui.ps1"}"

It runs with elevated privileges, sets the execution policy to Bypass, hides the PowerShell window, recursively unblocks all files in the specified directory (which can be useful for removing the "downloaded from the internet" flag), and then executes the Gui.ps1 script located in the .\WAU\ directory.

Creating a shortcut with those parameters doesn't cause it to be flagged, so it seems like there's really something else in the shortcut....

AndrewDemski-ad-gmail-com commented 10 months ago

This will be recurring theme as long as project sticks to using predefined LNK file. It will be always some GEN.TROYAN.XYZ or GEN.BADSTUFF.123. Its all about detection method used by your AV software. Those are reloaded with every AV update of definitions and there is nothing we could to to satisfy all AV products on the market.

The only way to get rid of this problem is to whitelist this file, but..

.. because that will leave your machine exposed to unnecessary risks. Malware does not appear on your machines by itself, you do not create it yourself, it is usually downloaded from external systems.

Before Xmas I was planning to write a C# executable which would be used as windowless launcher for the rest of WAU family of products. I have it in my public repo but there is a long road before it will be production ready (compilation workload is missing).

leberschnitzel commented 10 months ago

I know, a bit "old school", but wouldn't a bat work and not cause a trigger? %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; "%~dp0WAU\Gui.ps1"}"

GhostlyCrowd commented 10 months ago

SentinelONE also has a heart attack over every single lnk made or prepackaged by WAU, it also Killed and Quarantined WAU-Policy.ps1

AndrewDemski-ad-gmail-com commented 10 months ago

I know, a bit "old school", but wouldn't a bat work and not cause a trigger? %WinDir%\System32\WindowsPowerShell\v1.0\powershell.exe -ep Bypass -w h -C "& {gci -R | Unblock-File; "%~dp0WAU\Gui.ps1"}"

As usual, the devil is in the details. Simply detecting a command for PowerShell to disable/bypass its code execution protection and hide the executed command/command window is enough information for the AV to raise an alarm.

Replacing parameters from the LNK file by moving them to a separate file/script will trigger the same "AV panic".

taffit commented 10 months ago

Windows Defender now also lets you download the file without any complains.
A small section in the ReadMe explaining potential false alarms and why these can happen (with a link to this issue) may help in the future, as users then already know that this is known and most probably just a false positive and that within days the AV will have corrected it.
Btw, thank you for this wonderful piece of software ...

github-actions[bot] commented 9 months ago

This issue is stale because it has been open for 30 days with no activity.

Romanitho commented 8 months ago

Thanks :) Anyway, for the next version we probably need to think about another way to have it simple without antivirus screaming. I thought a "shortcut" would be simple, but I underestimated antiviruses :p

Romanitho commented 8 months ago

Could you please test with the latest pre-release (1.19.2-7)? Small change, but maybe make the diff :p

rvtdadmin commented 8 months ago

Could you please test with the latest pre-release (1.19.2-6)? Small change, but maybe make the diff :p

1.19.2-6 and 1.19.2.7 still have this issue with Windows Defender.

taffit commented 8 months ago

I was able to download both without any problems. But my Defender now doesn't complain even on the 1.19.1, where the problem first arose.

github-actions[bot] commented 7 months ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 7 months ago

This issue was closed because it has been inactive for 14 days since being marked as stale.