pauby
commented
2 months ago @goshostoychev can you add the link to the Discord chat we had, to the description above?
Open goshostoychev opened 2 months ago
pauby
commented
2 months ago @goshostoychev can you add the link to the Discord chat we had, to the description above?
goshostoychev
commented
2 months ago @goshostoychev can you add the link to the Discord chat we had, to the description above?
Done.
gep13
commented
2 months ago @goshostoychev said... You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
Can you please clarify the exact steps that you are describing here?
goshostoychev
commented
2 months ago When the chocolatey folder in C:\ProgramData is deleted, and then we run the choco install script from 'https://chocolatey.org/install.ps1' to make a new installation of choco, our antivirus software detects the problematic file in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
gep13
commented
2 months ago And it you delete this file, and attempt the re-installation again?
And, just to confirm, you are executing:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))Directly, in an Administrative PowerShell Session, as described in the installation page here.
goshostoychev
commented
2 months ago Yes, we are deleting the whole choco folder and we are re-installing it. The command we are executing is this:
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
The command is being ran as the built-in SYSTEM user.
goshostoychev
commented
2 months ago This is the response we got from the ESET support:
From time to time we have cases of this kind of False Positive from ESET. It's completely normal, most likely a new update with definitions/signatures was released and that's where the detection itself comes from.
If you think it's a False Positive, Chocolately colleagues, as well as yourself, can come forward to ESET and report the False Positive. Accordingly, ESET colleagues have a whole page to help with this process: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the - eset-lab
Basically within the day, the following reporting of such issue is fixed, so you can file a similar False Positive report in the manner described in the article, so that the developers can fix the anomaly.@goshostoychev said.... Yes, we are deleting the whole choco folder and we are re-installing it
Can I ask that you be very clear about what you are referring to?
Which folder are you referring to here? The chocolatey folder within the C:\ProgramData folder, or the chocolatey folder within the C:\Windows\Temp folder?
goshostoychev
commented
2 months ago We are deleting the C:\ProgramData folder, but when we try to re-install choco, our antivirus detects the problematic file in C:\Windows\Temp.
gep13
commented
2 months ago Thank you for the clarification!
During the fresh installation of Chocolatey CLI, the contents of the Chocolatey nupkg will be extracted to the TEMP folder, this is normal behaviour. What I would like to clarify further, based on the discussion that was had in Discord, is whether the file in the TEMP folder is correctly signed using the Chocolatey certificate. Can you please clarify if this is the case on your system?
goshostoychev
commented
2 months ago We have just tested a fresh installation again, and this time the 'C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1' in comes with a valid signature.
Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?
gep13
commented
2 months ago @goshostoychev said... Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?
No, no changes have been made on our side.
goshostoychev
commented
2 months ago About the response we got from ESET - are you going to take what steps are necessary to submit this file as false-positive to ESET, so that they can whitelist it, or make the needed adjustments to the file? And please, let us know of the result.
gep13
commented
2 months ago @goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this.
As such, I can going to close this issue, but feel free to respond to it if you have any other comments.
m4ttyj
commented
2 months ago Not an isolated incident. Weve had this flagged up too!
gep13
commented
2 months ago @m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?
m4ttyj
commented
2 months ago @m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?
It was ESET. I’ll get you the logs from the portal so you can see what it picked up, but we are experiencing the same as above.
m4ttyj
commented
2 months ago See attached screenshot @gep13
gep13
commented
2 months ago @m4ttyj thank you for providing that screenshot.
I am not sure how much help we will be able to be with this report. Chocolatey CLI does not install into that folder by default, and I am not familiar with RepairTech, so I can't speak to what process is being followed to place the files there.
As a side question, was the outcome of this ESEET detection that the file in question was moved to some form of quarantine folder, or did it remain in place in that location?
m4ttyj
commented
2 months ago Hi
RepairTech is SyncroMSP. It’s used to update default apps like adobe reader etc.
However I thought it would be useful as it’s the same file and the same reaction (although the location is different)
ESET deletes the file.
gep13
commented
2 months ago @m4ttyj said... ESET deletes the file.
Thank you for confirming, this helps with understanding what is going on, and answers some of the internal discussions that we have been having about this.
Checklist
What You Are Seeing?
Hello, About two hours ago (GMT+3), we started to receive thousands of alarms from our antivirus software, stating that it found a malicious file at C:/ProgramData/chocolatey/helpers/functions/Get‑ChocolateyWebFile.ps1. We checked the file signature, and at first, it says that the file is unsigned, and now, after we tried to make a clean install of chocolatey, the file status in "UnknownError". Have you recently made any changes on your side? What could be the possible reason for this? Link to the Discord chat, where we had a discussion about the issue - https://discord.com/channels/778552361454141460/897097047801475103
What is Expected?
No alarm from the antivirus software about a malicious file from chocolatey.
How Did You Get This To Happen?
We haven't done anything to make this happen. You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
System Details
Installed Packages
Output Log
Additional Context
No response