Malware Detected

[grahamehorner]

The msi package gives a Malware Detected for Windows Defender

Win32/Gatrid.E!plock Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items: file:C:\ProgramData\Package Cache{c64a85eb-8274-4df5-999b-8fe704752813}\dotnet-win-x64.1.0.1.001606.exe uninstall:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL{c64a85eb-8274-4df5-999b-8fe704752813} regkey:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL{c64a85eb-8274-4df5-999b-8fe704752813}

Get more information about this item online.

file:C:\ProgramData\Package Cache{c64a85eb-8274-4df5-999b-8fe704752813}\dotnet-win-x64.1.0.1.001606.exe uninstall:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL{c64a85eb-8274-4df5-999b-8fe704752813} regkey:HKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL{c64a85eb-8274-4df5-999b-8fe704752813}

[brthor]

What version of windows are you on? :smile: haven't seen this

cc @Sridhar-MS

[grahamehorner]

Windows 10 insider preview

[grahamehorner]

[ellismg]

I was hitting this as well and reported this internally as a false positive (the problem is that burn.exe from WiX as well as the generated installer .exe was getting flagged) and the Windows Defender folks told me the new definitions won't have this problem. From my internal thread with the Windows Defender folks:

File is now determined as clean which should stop our cloud detection to trigger.

Just refresh the signature definitions by running the sig update via client gui and you should be fine from now on.

So I expect this should be fixed, but haven't had a chance to validate it yet. I was actually working on Installer stuff today so I had to use the heavy hammer of disabling Windows Defender. Would be interested if refreshing fixes this for you and I plan to try the update tomorrow.

[christiannagel]

I just had this issue as well. With updating the defender definitions (1.213.7746.0) this seems to be fixed.

[grahamehorner]

I can confirm that after forcing a manual update of the defender definitions; the msi executable no longer triggers a Malware detected. I would however like to see the msi have a digital signature (temporary one at least) while under development.

[Sridhar-MS]

@grahamehorner, @livarcocc enabled signing of the MSI. But we have not been doing it for daily builds. Created an issue to track that - dotnet/cli#1654

[blackdwarf]

OK, with the issue @Sridhar-MS referenced, I will close this one.

[paleocomburo]

I ran into this problem as well and tried to manually update the Windows Defender definitions, but the installer was still flagged as a threat. I have definitions 1.213.7751.0, which are newer than the 7746.0 that supposedly fixes the issue. They broke it again?

[Sridhar-MS]

@gulerin Which Windows version are you using? I was not able to repro on Windows 10 with Defender definition version - 1.213.7751.0.

[paleocomburo]

Windows 10 Home.

[paleocomburo]

And this happens everytime I tried to execute it:

[grahamehorner]

I can confirm that this is broken on other operating systems versions; with newer defender definitions?

[brandiqa]

Avast antivirus also reports the same. Had to uninstall the dotnet asap!!

[Sridhar-MS]

@brandiqa Can you tell which link you used for installation?

[brandiqa]

https://dotnetcli.blob.core.windows.net/dotnet/beta/Installers/1.0.0-beta-002133/dotnet-dev-win-x64.1.0.0-beta-002133.exe Got the above link from this page: http://dotnet.github.io/getting-started/

[Max13]

Hi there, sorry for hijacking your issue.

I'm reported the same issue with my exe (made with Inno Setup), compiled on a clean installed VM with Windows 7 original. I'm sharing in case we discover something like github is modifying the submitted exe files.

The issue was reported on Windows 10/Defender

https://github.com/Max13/Pulse-Qt/releases/download/v1.2.0/Pulse-1.2.1_Win32.exe