search

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.
https://brave.com
Mozilla Public License 2.0
17.61k stars 2.29k forks source link

Label Updater so Windows RansomWare knows what it is. #6042

Open Midnex opened 5 years ago

Midnex commented 5 years ago

Description

When Brave attempts to update it runs an exe called setup.exe. This program is generically named and flagged by Windows Ransomware protection. It simply sees it as Setup.exe with no further information. Searching for the file and seeing it has the same time stamp as the alert finally made me realize it was Brave trying to update, though I had it blocked via Ransomware protection.

Steps to Reproduce

  1. Enable Ransom Ware Protection in Windows
  2. Attempt to update Brave
  3. Watch as windows flags and blocks the installation.

Expected result:

To show BraveSetup.exe or something to say its not some generic virus trying to be installed. I blocked if for 4 months till I finally decided to check it out.

rebron commented 5 years ago

cc: @Brave-Matt Do you see any more reports on this, being flagged/blocked by Windows Ransomware? I'd think we'd see more reports.

Midnex commented 5 years ago

I can't imagine you would see too many more, as Ransomware Protection isn't super popular or on by default. Then pairing it with the inability of windows to say who the vendor of a piece of software belongs too. All they get is setup.exe with no further info. Digging deeper into things was the only reason I found it.

@rebron

mkarolin commented 5 years ago

Not sure what specifically causes Windows Defender to identify the exe as ransomware, but getting an EV signing cert may help with Windows Defender in general (https://blogs.msdn.microsoft.com/ie/2012/08/14/microsoft-smartscreen-extended-validation-ev-code-signing-certificates/)

Midnex commented 5 years ago

Windows Defender is not identifying it as ransomware. It is blocking access to it, as it is trying to access folders it does not have privileges to access. In this case %common_desktop%, from application setup.exe. As it is a controlled folder

What Ransomware Protection does when enabled is locked down key location, where users store their files. Such as The Desktop, My Documents, and other key areas. It also protections certain memory addresses and system files. Thus ransomware cannot encrypt your data without you giving it access by selecting Allow on device.

Since Brave's updater is named setup.exe, Accessing %common_desktop% it is blocking it by default as intended by default settings. Every time the application changes, it will alert the user it has been blocked and they can allow access if they trust it.

And again since it named setup.exe, little to no one will accept it blindly.

Thus resolution is to change the setup.exe to BraveSetup.exe or similar to be identified by the user when it triggers an alert from Ransomware Protection.

It would be an extremely easy fix.

Midnex commented 3 years ago

Hard to believe a year later, you are unable to add a window telling users that Ransomware protection is enabled, and the user needs to add it. Hell you can even popup a 1 line signed powershell script to do it. Then continue install process.

As this is still an issue and has not been fixed.