Windows defender freaking out about the ecode 0.6.3 release

[emeraldtip]

After downloading the newest version, the windows defender freaks out over the ecode.exe, saying that it is a trojan and allows for RCE

Virustotal, however, says that the file is clean: https://www.virustotal.com/gui/file/c557b99aa2d6c2dada3797910100f95bfa26766b28724c4f4ce424c5a383401e

It won't allow me to leave it on the device either, even if I do select "keep on this device" Just deletes the file.

Any ideas?

OS: Windows 11 Windows defender version info:

[SpartanJ]

WTF. It does complain for 0.6.2 too?

[emeraldtip]

Nope

[NullPlane]

False positive report to Microsoft required prob. This "detection" seemed to kick MS's own system internal services out 💀

If it doesn't work take your install/unpack dir, e.g. C:\Expand\crupkg\ecode and paste it into excluded directories or exclusions.

In every cell of my body I do not recommend runnin defender-only.

[SpartanJ]

That is crazy, literally a single line of code was changed and actually is a reverted line. And binary packages are auto generated by the CI. I'm clueless, maybe repackaging it again will be enough. But I want to understand the problem.

[emeraldtip]

Unrelated, but @NullPlane what light-weight, free AV do you recommend in that case

[SpartanJ]

@NullPlane it does trigger for you? I just tested Windows 11 with Windows Defender activated and it's not triggering here.

[SpartanJ]

Virustotal, however, says that the file is clean: https://www.virustotal.com/gui/file/c557b99aa2d6c2dada3797910100f95bfa26766b28724c4f4ce424c5a383401e

You uploaded the "Source Code.zip" file generated by Github from ecode repository, there's nothing to analyse there. What needs to be checked is ecode-windows-0.6.3-x86_64.zip, I've tried but page doesn't work properly for me :shrug: .

I just built ecode 0.6.3 from my personal computer, can you try this one? It it works I'll replace it: ecode-windows-0.6.3-x86_64.zip.

Thanks.

[emeraldtip]

Oh yeah accidentally uploaded wrong zip lmao I also tested the executable itself on a friend's pc, cause it would get autodeleted from mine, but forgot to grab the link for that

Will test it out rn

[emeraldtip]

It doesn't seem to be pissed off anymore

[SpartanJ]

That's extremely odd, but also a relief, I'll upload that file then. Thanks for testing and reporting it!

If you have some time could you please try to run the nightly build? Maybe CI produced files are "weird" for Windows Defender (although it didn't complain for me): https://github.com/SpartanJ/eepp/releases/download/nightly/ecode-windows-nightly-x86_64.zip

[emeraldtip]

Nope that doesn't trigger anything, only the original 0.6.3 build

[SpartanJ]

Ok, that's better, it's a very rare false positive from Windows Defender, a simple rebuild was enough to avoid it so we will probably be safe in the future. Thanks for testing. I'll close the issue since it's """fixed""".

[emeraldtip]

Update - it's freaking out again

[emeraldtip]

Nightly still doesn't get flagged

[emeraldtip]

https://www.virustotal.com/gui/file/8c3360eae4cf0e49c9b1c3c228ca19c7a21ab55f6e7139af5ca987f6e131975d/behavior

Virustotal still doesn't flag it

[emeraldtip]

And now it doesn't flag it anymore???????? I have no clue what is going on with defender

[NullPlane]

@NullPlane it does trigger for you? I just tested Windows 11 with Windows Defender activated and it's not triggering here.

It does not trigger for me and I do not use defender.

But I've seen this specific trigger pattern for defender. AFAIK the !ml means AI detection it's like these two– three AVs on VT that flag EVERYTHING but imo not sure what caused this specific problem

@emeraldtip I may not recommend anything here. But there is plenty of market leaders — Bitdefender, Malwarebytes, Kaspersky if u're not in the US... As long as you do not choose scam products it's fine.

Also I said just try to add a folder exclusion.

If it doesn't work take your install/unpack dir, e.g. C:\Expand\crupkg\ecode and paste it into excluded directories or exclusions.

[SpartanJ]

And now it doesn't flag it anymore????????

I don't know what to say, I'm speechless 🤔. I wonder if this is something on your particular PC or if it will happen to other users. I guess we will see...

 But I've seen this specific trigger pattern for defender. AFAIK the !ml means AI detection it's like these two– three AVs on VT that flag EVERYTHING but imo not sure what caused this specific problem

Oh, that's ugly. I personally never used any anti-virus, I prefer playing with fire than slowing down basically everything. So I always disable Windows Defender (and damn, sometimes it's hard to completely disable it).