Recent update of Windows Defender/Security essentials identify "TrojanDownloader:O97M/Obfuse.RBS!MTB" in 4.16 (WebHelpers module)

[Externaluse]

Hi, I'm running a workbook that uses 4.16. As recently as this morning (Security Essentials Virus definition 1.319.2157.0 [UPDATE: Repeated with definitions 1.319.2163.0]) several colleagues and I found that we cannot open the workbook because it is corrupted. Both Security Essentials on Windows 7 and Windows Defender on Windows 10 identify the WebHelpers module as TrojanDownloader:O97M/Obfuse.RBS!MTB

I've downloaded the latest release and opened VBA-Web Blank. Attempting to save it will corrupt the file, the save fails. Upon successive attempts from a clean slate, removing the Web Helpers module will allow saving, no threat is detected.

I will start to remove code little by little in order to try and identify the offending code, but given that it is 3000+ lines I would appreciate if others could confirm the bug and help to identify the code that triggers Security Essentials.

Excluding the workbook from scanning doesn't help, because a temporary file is created upon saving. That file has a random name without an extension, eg. "F2FAF3B80". If that triggers the scanner, the save of the orginal file is considered to have failed.

[Externaluse]

I have filed an "incorrect detection" submission to Microsoft Security Intelligence. It'd be helpful if others were to do that, too. https://www.microsoft.com/en-us/wdsi/filesubmission Just upload WebHelpers.bas from the src subdirectory, and mention the github URL of the software package.

Further updates are kept on https://stackoverflow.com/questions/63072188/vba-web-4-16-module-webhelpers-identified-as-trojandownloadero97m-obfuse-rbs

[wreevesc]

Same issue. Also submitted to MS. Thank you for the link.

[Externaluse]

MS have responded:

We have analysed the logs and we have found that the below file, file:_C:\ProgramData...\VBA-Web-Temp\9FE46B80->xl/vbaProject.bin is getting detected by the name: TrojanDownloader:O97M/Obfuse.RBS!MTB Kindly send us the SHA256 of the above mentioned file, so that we can take appropriate action on it.

I'm kinda happy to do that, but that won't help other projects I gather. I guess they mean to hash the entire file, which is something, but the hash of my project using it will be different. I'll send it anyway for now and see where it takes me.

[rathboma]

I'm having this issue -- I develop custom Spreadsheets for clients, and they are starting to see this issue.

@Externaluse From your SO post, looks like they confirmed your code did not contain malware. Did that resolve the issue for you?

Not sure how to resolve this issue myself and for all future versions of my spreadsheets.

[rathboma]

@timhall Would love your input here, this feels like a fairly urgent problem if thousands of spreadsheets worldwide suddenly start being reported as malware.

Not totally sure how to wholesale get these unmarked as malware

[afdent]

I report the same some week ago, w10 erase all macros form my project! I solve it uninstall WD. Please note if checking the spreadsheet with other antivirus nothing happends. Microsoft generate problem anymore.

Il Lun 27 Lug 2020, 05:24 Matthew Rathbone notifications@github.com ha scritto:

@timhall https://github.com/timhall Would love your input here, this feels like a fairly urgent problem if thousands of spreadsheets worldwide suddenly start being reported as malware.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/VBA-tools/VBA-Web/issues/443#issuecomment-664098721, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABSDDQEXPKHTUSGDPVTRQGTR5TXN3ANCNFSM4PGSRCQA .

[rathboma]

This is now resoloved, response from Microsoft:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

[rathboma]

This is all thanks to the legendary Scott Hanselman - https://twitter.com/shanselman I had a twitter conversation with him last night about it and this morning it is resolved.

[Externaluse]

Great news. However Outlook/Exchange Online (on 365) still reports that file: Time received: 7/27/2020 8:44:53 AM Message ID:<...> Detections found: Filenname.xlsm O97M/Obfuse.RBS!MTB

I'll check if the Windows Defender method above works with Security Essentials on W7, too.

[Externaluse]

The latest Defender/Sec Essentials update fixes the problem, the manual steps above should no longer be required.