[Bug] Scoop reported as malware by Windows

jmichalak9 commented 7 months ago

Bug Report

Current Behavior

During scoop update it shows WARN Uncommitted changes detected. Update aborted. This happens because lib/autoupdate.ps1 is deleted by Windows (it is reported as Trojan:Script/Wacatac.B!m).

Expected Behavior

Scoop files not reported as malware. Successful Scoop update.

System details

Windows version: 11

OS architecture: 64bit

PowerShell version: 5.1.22621.2506

Scoop Configuration

{
    "last_update":  "2024-04-21T21:01:15.1074983+02:00",
    "scoop_branch":  "master",
    "scoop_repo":  "https://github.com/ScoopInstaller/Scoop"
}

chawyehsu commented 7 months ago

If you're encountering this, please try to submit it to https://www.microsoft.com/en-us/wdsi/filesubmission to report it a false positive.

@niheaven It seems the false positive is raised because of the patch #5901

v0.3.1 https://www.virustotal.com/gui/file/43369f44e355a81dc2c1379ff05f9e00aca2d3c420501d9b9c2577d8093217c8

https://github.com/ScoopInstaller/Scoop/commit/92b71c6057a1a594beeab416cc4d002da17867b1 https://www.virustotal.com/gui/file/86fec3cb86da8f64404538723a15389354a38bfea0aace8e53a8a502081d9691

v0.4.0/PR5901 https://www.virustotal.com/gui/file/c6df0ca246fc75ed71e689433f941bbdcef160f674a4350243c674a10ed718a2

niheaven commented 7 months ago

Wow, I'll use Invoke-WebRequest instead and fix the issue.

ackalker commented 7 months ago

@niheaven I would like to add that scoop checkup - which I would gess is what many users would turn to to check if there are any issues - doesn't report any problems even when the .ps1 file is missing:

PS C:\Users\xxxxx\scoop\apps\scoop\current> git status
On branch master
Your branch is up to date with 'origin/master'.

Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git restore <file>..." to discard changes in working directory)
        deleted:    lib/autoupdate.ps1

no changes added to commit (use "git add" and/or "git commit -a")

PS C:\Users\xxxxx\scoop\apps\scoop\current> scoop checkup
No problems identified!

I think that update functionality being disabled due to Windows Defender would qualify as a ... rather serious problem in my opinion.

perosb commented 7 months ago

Also affects new installs; here in docker making is more difficult to exclude from virus scanner.

2024-04-22T07:30:33.6881729Z Step 7/13 : RUN    irm get.scoop.sh -outfile install.ps1;  .\install.ps1 -RunAsAdmin;  scoop install main/7zip;;
2024-04-22T07:30:33.8430414Z  ---> Running in 3629da8077f1
2024-04-22T07:30:38.4945464Z Initializing...
2024-04-22T07:30:40.6795750Z Downloading...
2024-04-22T07:30:41.6057646Z Extracting...
2024-04-22T07:30:42.8142822Z [91mCopy-Item : Operation did not complete successfully because the file contains 
2024-04-22T07:30:42.8144321Z [0m[91ma virus or potentially unwanted software.
2024-04-22T07:30:42.8145560Z [0m[91mAt C:\wdp\install.ps1:623 char:9
2024-04-22T07:30:42.8146883Z [0m[91m+         Copy-Item "$scoopUnzipTempDir\scoop-*\*" $SCOOP_APP_DIR -Recu ...
2024-04-22T07:30:42.8147413Z [0m[91m+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2024-04-22T07:30:42.8149045Z [0m[91m    + CategoryInfo          : WriteError: (autoupdate.ps1:FileInfo) [Copy-Item 
2024-04-22T07:30:42.8150110Z [0m[91m   ], IOException
2024-04-22T07:30:42.8153508Z [0m[91m    + FullyQualifiedErrorId : CopyDirectoryInfoItemIOError,Microsoft.PowerShel 
2024-04-22T07:30:42.8155033Z [0m[91m   l.Commands.CopyItemCommand
2024-04-22T07:30:42.8157965Z [0m[91m 
2024-04-22T07:32:20.4560304Z [0mThe command 'powershell -Command $ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue'; irm get.scoop.sh -outfile install.ps1;     .\install.ps1 -RunAsAdmin;  scoop install main/7zip;' returned a non-zero code: 1

ooooo84 commented 6 months ago

Not only Window Defender but the CrowdStrike Falcon malware scan also detected it.

mattia72 commented 6 months ago

The v0.4.1 release is not a malware here anymore ;) scoop\apps\scoop\current\lib\autoupdate.ps1 is not deleted.

brad-jones commented 6 months ago

v0.4.2 still appears to be effected. Running CrowdStrike Falcon here.

wsw70 commented 5 months ago

v0.4.2 still appears to be effected. Running CrowdStrike Falcon here.

Do you have any alerts in CS? I have the same problem (and CS) but there are no detections in the console -- so I suspect this may be something else

PingvinB commented 4 months ago

I'm not encountering the issue on 0.5.0 anymore.

Previously I had to replace autoupdate.ps1 with an empty file to not have it deleted by CrowdStrike, but also satisfy scoop, to some extent.

After running git reset on the local scoop repo, I'm able to use scoop as usual without CrowdStrike removing autoupdate.ps1.

BGarber42 commented 3 months ago

This happens with CarbonBlack also with core.ps1

Jestar342 commented 3 weeks ago

I'm not sure this one is scoop's fault, but I expect there will be other people who end up here. I'm updating fzf (to 0.56.0) via scoop and I get the Wacatac strike block it here, too:

Updating 'fzf' (0.55.0 -> 0.56.0) Downloading new version fzf-0.56.0-windows_amd64.zip (1.7 MB) [==========================================================================================================================================================] 100% Checking hash of fzf-0.56.0-windows_amd64.zip ... Get-FileHash: C:\Users\Someone\scoop\apps\scoop\current\lib\install.ps1:634 Line | 634 | $actual = (Get-FileHash -Path $file -Algorithm $algorithm).Hash.T … | ~~~~~~~~~~ | Operation did not complete successfully because the file contains a virus or potentially unwanted software. : 'C:\Users\Someone\scoop\cache\fzf#0.56.0#cbd2311.zip' InvalidOperation: C:\Users\Someone\scoop\apps\scoop\current\lib\install.ps1:634 Line | 634 | $actual = (Get-FileHash -Path $file -Algorithm $algorithm).Hash.T … | ~~~~~~~~~~~~~ | You cannot call a method on a null-valued expression. Get-Content: C:\Users\Someone\scoop\apps\scoop\current\lib\core.ps1:1376 Line | 1376 | return Get-Content $file -AsByteStream -TotalCount 8 | ~~~~~~~~~ | Operation did not complete successfully because the file contains a virus or potentially unwanted software. : 'C:\Users\Someone\scoop\cache\fzf#0.56.0#cbd2311.zip' ERROR Hash check failed! App: main/fzf URL: https://github.com/junegunn/fzf/releases/download/v0.56.0/fzf-0.56.0-windows_amd64.zip First bytes: Expected: 116cf92206ca23217cc75deacc61755a8ed926a37a3e24c1338f128dd9a8ba3d Actual:

Please try again or create a new issue by using the following link and paste your console output: https://github.com/ScoopInstaller/Main/issues/new?title=fzf%400.56.0%3a+hash+check+failed

chunibyo-wly commented 1 week ago

same issue, any update on this?

o-l-a-v commented 1 week ago

@chunibyo-wly

In your screenshot it's fzf ( https://github.com/ScoopInstaller/Main/blob/master/bucket/fzf.json ) that was blocked, not Scoop.

ScoopInstaller / Scoop