Closed Chouffy closed 2 years ago
VirusTotal gives a clean result: https://www.virustotal.com/gui/file/cdb20d0e9e626ea1989bf688578ac8325662fde6a7d57c7367a0c6ee24bc631a?nocache=1
I just submitted the sample to Microsoft using this link, let's see what happens
The detection has been removed, see this answer from Microsoft:
We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.
1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"
Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
Thank you for contacting Microsoft.
Thanks! Not sure why this false positive was given. Happy that it has been corrected.
Got another report today by someone who had the same message. Could be outdated defintions of Windows Defender. Anyone also experiences this issue?
I just submitted the sample to Microsoft just like Chouffy did before. Keep you posted.
I did a manual update and then scan of the addon, nothing comes up.
My security intelligence version is 1.353.2267.0
instrumentapowerpointtoolbar.pptm
Submission ID: xx
Status: Completed
Submitted by: xx
Submitted: Dec 7, 2021 21:30:42
User Opinion: Incorrect detection
Analyst comments:
At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.
1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"
Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
instrumentapowerpointtoolbar.ppam
Submission ID: xx
Status: Completed
Submitted by: xx
Submitted: Dec 7, 2021 21:16:41
User Opinion: Incorrect detection
Analyst comments:
At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.
1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"
Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
Another false positive. Closing this issue.
Now the new version is also reported as Script/Sabsik.TE.A!ml and Script/Wacatac.B!ml.
Reported as clean by VirusTotal: https://www.virustotal.com/gui/file/ff838cd6ee93a180808bed082c5a5bcb866bec6038b4c35b0db1c43338bf2c95?nocache=1
Again submitted the sample to Microsoft. Let's wait and see what comes out of it.
instrumentapowerpointtoolbar.ppam
Submission ID: xx
Status: Completed
Submitted by: xx
Submitted: Dec 8, 2021 10:53:17
User Opinion: Incorrect detection
Analyst comments:
At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.
1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"
Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
(Updated, as status is now completed)
False positive seems to be solved with security intelligence version: 1.353.2287.0
Keeping this open in case any new reports.
@iappyx it's funny because Microsoft's message is a bit different from the first time:
We have removed the detection. ...
-> suggesting they did something at the beginningAt this time, the submitted files do not meet our criteria ...
-> suggesting that they did nothing Where did you get those reports? from users or yourself?
I got one report from someone I know. And then I also experienced it on my private development machine and on my work laptop. Windows Defender actually deleted some of my beta versions, had to revert to a backup, nothing lost ;-)
At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed.
Unclear messages indeed. They still say they have removed the detection, but they keep it open that they could flag it again in the future?
I've also sent them an e-mail asking what piece of the code triggers this false positive.
No more false positive detections found. Closing this for now.
@iappyx I'm getting the same with some Excel macro software I've made: https://github.com/sancarn/stdVBA/issues/75
Wondering where you report these false positives to? Is there a link to submit false positives to microsoft?
@iappyx I'm getting the same with some Excel macro software I've made: sancarn/stdVBA#75
Wondering where you report these false positives to? Is there a link to submit false positives to microsoft?
Yes - please check post 3 in this thread :)
Indeed that's the one. Have used this for every major release since.
Describe the bug When launching PowerPoint, Windows Security block the load of Instrumenta due to a detected "Trojan". PowerPoint throw an error "Sorry, for some reason PowerPoint couldn't load the InstrumentaPowerpointToolbar add-in.".
To Reproduce Steps to reproduce the behavior:
Expected behavior No error, Instrumenta loads like yesterday (14 October 2021).
Screenshots PowerPoint:
Windows Security:
Desktop (please complete the following information):