False positive Windows Security reports for Instrumenta

[Chouffy]

Describe the bug When launching PowerPoint, Windows Security block the load of Instrumenta due to a detected "Trojan". PowerPoint throw an error "Sorry, for some reason PowerPoint couldn't load the InstrumentaPowerpointToolbar add-in.".

To Reproduce Steps to reproduce the behavior:

1. Have Instrumenta as a PowerPoint Add-Ins
2. Start PowerPoint

Expected behavior No error, Instrumenta loads like yesterday (14 October 2021).

Screenshots PowerPoint:

Windows Security:

Desktop (please complete the following information):

• OS: Windows 10 20H2 build 19042.1237
• Instrumenta v1.0
• Windows Security informations

• Security intelligence version 1.351.453.0

• Version created on 2021-10-15 04:20

• Last update on 2021-10-15 08:52 CET

[Chouffy]

VirusTotal gives a clean result: https://www.virustotal.com/gui/file/cdb20d0e9e626ea1989bf688578ac8325662fde6a7d57c7367a0c6ee24bc631a?nocache=1

[Chouffy]

I just submitted the sample to Microsoft using this link, let's see what happens

[Chouffy]

The detection has been removed, see this answer from Microsoft:

We have removed the detection.  Please follow the steps below to clear cached detection and obtain the latest malware definitions.

     1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
     2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
     3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

Thank you for contacting Microsoft.

[iappyx]

Thanks! Not sure why this false positive was given. Happy that it has been corrected.

[iappyx]

Got another report today by someone who had the same message. Could be outdated defintions of Windows Defender. Anyone also experiences this issue?

[iappyx]

Both release and beta report as clean:

https://www.virustotal.com/gui/url/745bf4e96def479c51d8e00c815ff32a23ec66371d27f6fd8b2dcb61319a4723?nocache=1 https://www.virustotal.com/gui/url/81bd4c98848061d5eb8838e7667c38329730bc1e38ebed387defc5fbf3f72d48?nocache=1

[iappyx]

I just submitted the sample to Microsoft just like Chouffy did before. Keep you posted.

[Chouffy]

I did a manual update and then scan of the addon, nothing comes up. My security intelligence version is 1.353.2267.0

[iappyx]

instrumentapowerpointtoolbar.pptm

Submission ID: xx

Status: Completed

Submitted by: xx

Submitted: Dec 7, 2021 21:30:42

User Opinion: Incorrect detection

Analyst comments:

            At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

[iappyx]

instrumentapowerpointtoolbar.ppam

Submission ID: xx

Status: Completed

Submitted by: xx

Submitted: Dec 7, 2021 21:16:41

User Opinion: Incorrect detection

Analyst comments:

            At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

[iappyx]

Another false positive. Closing this issue.

[iappyx]

Now the new version is also reported as Script/Sabsik.TE.A!ml and Script/Wacatac.B!ml.

Reported as clean by VirusTotal: https://www.virustotal.com/gui/file/ff838cd6ee93a180808bed082c5a5bcb866bec6038b4c35b0db1c43338bf2c95?nocache=1

Again submitted the sample to Microsoft. Let's wait and see what comes out of it.

[iappyx]

instrumentapowerpointtoolbar.ppam

Submission ID: xx

Status: Completed

Submitted by: xx

Submitted: Dec 8, 2021 10:53:17

User Opinion: Incorrect detection

Analyst comments:

            At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

(Updated, as status is now completed)

[iappyx]

False positive seems to be solved with security intelligence version: 1.353.2287.0

Keeping this open in case any new reports.

[Chouffy]

@iappyx it's funny because Microsoft's message is a bit different from the first time:

• We have removed the detection. ... -> suggesting they did something at the beginning
• At this time, the submitted files do not meet our criteria ... -> suggesting that they did nothing

Where did you get those reports? from users or yourself?

[iappyx]

I got one report from someone I know. And then I also experienced it on my private development machine and on my work laptop. Windows Defender actually deleted some of my beta versions, had to revert to a backup, nothing lost ;-)

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed.

Unclear messages indeed. They still say they have removed the detection, but they keep it open that they could flag it again in the future?

I've also sent them an e-mail asking what piece of the code triggers this false positive.

[iappyx]

No more false positive detections found. Closing this for now.

[sancarn]

@iappyx I'm getting the same with some Excel macro software I've made: https://github.com/sancarn/stdVBA/issues/75

Wondering where you report these false positives to? Is there a link to submit false positives to microsoft?

[Chouffy]

@iappyx I'm getting the same with some Excel macro software I've made: sancarn/stdVBA#75

Wondering where you report these false positives to? Is there a link to submit false positives to microsoft?

Yes - please check post 3 in this thread :)

[iappyx]

Indeed that's the one. Have used this for every major release since.