search

alexlauerman / UpdateToken

Burp extension to use updated token values, such as a bearer token
23 stars 8 forks source link

False positive virus in release zip file? #3

Open unnes opened 6 years ago

unnes commented 6 years ago

Windows Defender on Windows 10 seems to be flagging the UpdateToken.zip file in Releases as malicious and containing "Trojan:Java/Tisifi.A". I have replicated this behavior on two separate Win 10 Pro 1803 machines.

screencap

alexlauerman commented 6 years ago

Thanks. I was able to reproduce it, even though the jar I have on my machine was never flagged. By the way, this is in the BApp store (they renamed it Token Incrementor).

I'll let you know if I figure out why Defender is flagging it. Hopefully just a bad signature by Microsoft, but I don't want to assume.

alexlauerman commented 6 years ago

I just downloaded the zip file file to a whitelisted folder, and the copied it out, and also re-scanned it with Defender and also extracted it and scanned it. I couldn't get it to reflag it without downloading it. It seems to only flag on download, but once it's downloaded, Defender is okay with it. Maybe you can reproduce this to make sure I'm not crazy, because this makes little sense to me.

I also uploaded the "virus" zip file to VirusTotal and it was okay with it (it look like you may have done this already). https://www.virustotal.com/#/file/4224d78093d57ef58e4fbb7bd226fb613e6d505118485063277ca57920d37e82/detection

unnes commented 6 years ago

Ah cool, I'll snag it from the BApp store then. And yeah that was me who submitted it to VirusTotal and Kaspersky, I didn't believe that Defender's flag was valid but I wanted some reassurance using online scanners before I redownloaded the file.

unnes commented 6 years ago

Additionally -- yes I independently found what you found -- Defender only flags the downloads but gives the actual downloaded file a green light. In fact, Windows only seemed to care about the zip when I downloaded it in Chrome... Firefox downloaded the file just fine. I didn't take the time to replicate this behavior so it could just be a fluke, but in any case the flagging of this file certainly is a bit odd.

alexlauerman commented 6 years ago

Closing because I think this was just a random FP from a bad defender update.

alexlauerman commented 2 years ago

Looks like this issue is back. Reopening.