Setup.exe from squirrel.windows.2.0.0.nupkg triggers malware warning from Windows Defender (Trojan:Win32/Fuery.C!cl)

[chrolivier]

Squirrel version(s) 2.0.0

Description The tools\Setup.exe file in the squirrel.windows.2.0.0.nupkg package triggers a malware warning from Windows Defender when it is extracted from the package. I first experienced this on 27 Aug 2020 when running a cake script to build a setup package.

Steps to recreate

1. Download the NuGet package from https://www.nuget.org/api/v2/package/squirrel.windows/2.0.0
2. Extract the /tools/setup.exe file from the package.
3. Right click on the extracted file and view its properties Windows Defender issues a warning that it detected the following threat in the Setup.exe file: Trojan:Win32/Fuery.C!cl

Expected behavior No antivirus warnings should go off

Additional information I realize this is probably not an issue with Squirrel but actually a false positive from Windows Defender. You may just want to check and submit an issue with Microsoft.

Tested on:

• Windows 10 Pro Version 2004 (OS Build 19041.45) Latest Windows Defender updates installed:
• Security Intelligence Update for Microsoft Defender Antivirus - KB2267502
• Update for Microsoft Defender Antivirus antimalware platform - KB4052623
• Security Intelligence Update for Microsoft Defender Antivirus - KB2267602

[Skyqula]

Hi,

I would like to report the same issue. Our software is also build with cake and released with squirrel. As of today 11 September 2020 we start getting flagged with Trojan:Win32/Fuery.C!cl and Trojan:Win32/Wacatac.B!ml.

After investigation, the .exe files we build are clean. The .exe files created by squirrel are not.

[ghost]

Only Cylance seems to detect the nupkg itself

https://www.virustotal.com/gui/file/2dab83fab60ba7669ca8d192826ad486ffa4556121884cd39c47c7b492703774/detection

Some niche scanners flag setup.exe

https://www.virustotal.com/gui/file/655ea4d8c84e69ba647ff52ee8288b70c6d034235b390d2bc4e657a8297f44e2/detection

At a guess, at some point some adware used Squirrel and instead of writing signatures for the adware, some companies wrote signatures for Squirrel.

Can anyone confirm that the flagging is still happening?

If it does, can you please add the VirusTotal links here?

[goaaats]

We're running into this with 2.0.1 as well.

No choice but to revert. 1.9.1 still reports fine.

https://www.virustotal.com/gui/file/5ac3d9e747d49887bf458daf33370a1bad34492bc4718b8a10197a0d9469ffa8/detection

[alexdi220]

We've faced the same issue in our software https://www.virustotal.com/gui/file/2cb395d9d27bb48cee5381bea94b0467e48bd777d34635034c9d5c26e3109e49/detection Setup.exe is just renamed ThemeDesignerLauncher.exe

[goaaats]

Would be nice if the maintainers could rebuild/repackage. Not sure if there is a way to keep this from happening altogether, maybe randomizing the layout of the generated binary.

[JKronberger]

Unfortunately we face the same issue, is there any workaround?

[alexdi220]

@JKronberger You can contact MS support to add your application to the white list (false positive). We've done it and the Defender doesn't trigger warn for our app.

[JKronberger]

@alexdi220 Thanks for the hint, we will try immediately.

[JKronberger]

We used "Submit a file for malware analysis" (https://www.microsoft.com/en-us/wdsi/filesubmission) and a few days later, our app seems to be on the whitelist. Hopefully it is not added to the blacklist again when we release a new version...?

[anaisbetts]

If you are facing this for your application (i.e. not the template setup.exe distributed with NuGet), here are a few important things to fix it as well as avoid SmartScreen:

1. Sign your application with a valid Code Signing certificate (I prefer Digicert, but other providers are out there too)
2. When you distribute your application, always distribute it from the same URL, do not add the file version into the executable name. Even though this is Better for users, SmartScreen considers the URL as a big part of how it weighs threats, and releasing on the same URL every time will "build up trust" with that URL