Windows firmware updater triggers false positives with malware detection programs.

[miweber67]

The windows EiBotBoard firmware 265 updater may be compromised. Windows 10 quarantined it. 19 engines on VirusTotal flag it.

https://www.virustotal.com/gui/file/2d12b865afcddf340d821636dc9b84e4a73b67d61fb71f5fe3c610d246d6541d/detection

If this is expected behavior, perhaps add something to the wiki pages that point at the file to notify users? https://wiki.evilmadscientist.com/Updating_EBB_firmware#Updater_applications_for_Mac_and_Windows

[oskay]

No, that's just the standard "we don't know what this is" flags.

[oskay]

The application wrapper is written in Thinbasic, which several packages have (mostly recently) decided is "suspicious." If you look at any of the actual flags from virustotal, it will say "we don't know what this is, but it might be a trojan." More info https://www.thinbasic.com/community/showthread.php?12954.

However, if you don't trust the updater, that's okay-- no one is forcing you to run it.

(1) There's a separate manual update process available.

And

(2) In most cases (if you have firmware newer than 2.4.6 and are using existing software to drive the machine) an update isn't actually necessary.

[EmbeddedMan]

Short answer: it's a false positive, and there's a workaround (use the command line updater directly rather than the GUI - see the section called "Manual updating with mphidflash" here : https://wiki.evilmadscientist.com/Updating_EBB_firmware)

Long answer: The tool we used to write the GUI wrapper for the command line updater tool on Windows (Thin Basic) is not a threat, but to many anti-virus software it does things that are similar in nature to threats. The main thing it does is it 'self-extracts'. When you double click on the .exe, there is a small un-zip application that runs, that takes the rest of the .exe (the archive part) and unzips it into several files, one of which is the interpreter that runs the extracted script. So it's an interpreted language that wraps itself up as an executable. There's nothing inherently wrong with that behavior, but it's also what some viruses do, and so the anti-virus software will flag that behavior as a trojan. I work at a mid-size medical device company, and have written many critical manufacturing tools in Thin Basic, and I've had some in-depth discussions with our IT group about Thin Basic because it's continually tripping their anti-virus monitors. (They use Cisco-AMP.) I've worked closely with Thin Basic's author (who is absolutely fantastic BTW) to minimize the chance of a false positive as much as possible, but he's not willing to go so far as to create a signing tool into the Thin Basic IDE that would allow us to attach actual signatures to the .exe (I'm not familiar with the exact process so I'm probably getting the terms wrong) that is created when you bundle up the final .exe (Like you can when you create a .exe with Visual Studio.)

Is there a chance that the threat is real, because the .exe has become infected somehow (after I created it, or even on my machine as it was being created)? Sure. There's always the chance. So be careful, and if you have any doubt, use the manual method (which doesn't use any behaviors that are suspect.) But I know there's been tons of people who have used those exact executables many times (myself included when testing on various machines for each updater version) without issue.

[miweber67]

@EmbeddedMan thanks for the detailed writeup. I completely understand the problem now that you have described it. Normally I would second-guess the windows quarantine for something like this, but a 25% hit rate on VirusTotal was enough to give me pause. May I suggest that we copy/paste some portion of your description above in to the "Updating EiBotBoard Firmware" page to deflect future concerns? I see the wiki has already been cleaned of the warning I added; sorry if that was an over-reaction. Also, posting a SHA hash of the installer would also allow folks to confirm that the installer had not been tampered with after you posted it.

I did submit the installer to the windows defender site for analysis, so hopefully they will flag it as a false positive in future "Security intelligence" updates.

My EBB is running firmware 2.0.1, and I was hoping to build a coreXY sort of arrangement for a tablet-tapping project I have in mind, so I do need to update the firmware.

Thanks again!

[miweber67]

@oskay , I did look at the VT page, and of the 20 detections, many did not look like "we do not know what this is" classifications. Agree there is some variance in the ML confidence engine matches, but it's not uncommon for different engines to detect or miss things in different ways. Am I not seeing the description you are talking about?

[miweber67]

Good news: Windows 10 false alarm removed:

https://www.microsoft.com/en-us/wdsi/submission/96f89c75-170a-4907-8715-658a183167ba

Thanks guys for a fantastic product, BTW. My upgrade to 2.6.5 went without a hitch. :-)

[oskay]

@miweber67 You are not the first to report this, and we've been through this kind of thing (with installers for other things) on a regular basis for years.

Every single one of those flags is a generic "we think this is suspicious" flag. Zero of them are "we see known malware" or "we confirm the presence of something destructive." (Dig down into any of them, if you like.)

If you try the virustotal scan with a piece of actual malware, you should see an overwhelming majority of the scans turn up something. Knowing something about what those flags say, plus the fact that only 20/72 of them flag it -- and that Avast, Symantec, Kaspersky, Fortinet, and other major brand names deem it clear -- are all signs to me that I personally should trust software with that report.

My best guess is that some piece of malware has recently become present that uses similar behavior to our installer (which has been largely unchanged for years), and so the behavior of our installer is suddenly deemed suspicious. Not fun.