Bearfoos malware detected

[stoopman]

Description

Azure Defender for Cloud reports the following security alert when building the win22/20240922.1 image:

'Bearfoos' malware was detected on this device. An attacker might be attempting to move laterally to this device from another device on the network. Defender detected 'Bearfoos' malware in bindgen.exe which was modified by the remotely invoked process powershell.exe via WinRs

Platforms affected

• [X] Azure DevOps
• [ ] GitHub Actions - Standard Runners
• [ ] GitHub Actions - Larger Runners

Runner images affected

• [ ] Ubuntu 20.04
• [ ] Ubuntu 22.04
• [ ] Ubuntu 24.04
• [ ] macOS 12
• [ ] macOS 13
• [ ] macOS 13 Arm64
• [ ] macOS 14
• [ ] macOS 14 Arm64
• [ ] macOS 15
• [ ] macOS 15 Arm64
• [ ] Windows Server 2019
• [X] Windows Server 2022

Image version and build link

windows-latest

Is it regression?

Unsure

Expected behavior

No malware detection

Actual behavior

Azure Defender for Cloud reports the following security alert when building the win22/20240922.1 image:

'Bearfoos' malware was detected on this device. An attacker might be attempting to move laterally to this device from another device on the network. Defender detected 'Bearfoos' malware in bindgen.exe which was modified by the remotely invoked process powershell.exe >via WinRs

Repro steps

Run the build of the windows 2022 image and have Azure Defender scan the build VM

[vidyasagarnimmagaddi]

Hi @stoopman , Thank you for bringing this issue to us. We are looking into this issue and will update you on this issue after investigating