Defender goes nuts on 202231225 compile

[jkr4m3r]

Doesn't look good at Virustotal either. What's going on?

[jonathanlinat]

Hello @jkr4m3r!

Thanks for bringing this to my attention.

I've looked into the two most recent Windows builds (20231221 & 20231225), and indeed, VirusTotal has identified some potential threats.

Currently, I'm not sure what's causing this issue, especially since QLSDK's build process is exactly the same as the one used by the tools themselves.

I'm going to investigate it further and hope to update you soon with a potential solution.

Could you please share the log file from Windows Defender or a similar tool? It would help me identify which binaries or tools are affected, as I am not a Windows user. I'll probably have to set up a Virtual Machine to conduct my tests.

[jkr4m3r]

deflog.txt

Snippets from Defender log attached.

[jonathanlinat]

I've just initiated a new release (20231230).

You can download the individual binaries from this link: https://github.com/jonathanlinat/quake-leveldesign-starterkit/actions/runs/7317584502

I submitted each of them to VirusTotal, and here are their respective results:

• ✅ ericw-tools-binaries-windows.zip: https://www.virustotal.com/gui/file/e019465f6457dfa2cee5de048ccd4e0a9c03eff68fdb46b9f0ee67e409f8dc39
• ✅ ironwail-binaries-windows.zip: https://www.virustotal.com/gui/file/edf70f45a98d5aa8d6706e7a0e2a35e4835401989f03ac741aa1c20d9f047e0a
• 🚫 quake-cli-tools-binaries-windows.zip: https://www.virustotal.com/gui/file/c2e807aed43398bf8879eb9e43118838d005bd9f7eefcfbc80817e6d460f78aa
• 🚫 trenchbroom-binaries-windows.zip: https://www.virustotal.com/gui/file/ba169d3452f5b75f5b692519ff20f5fd4bec1f9414d45544bf8d1488f495e666

Based on your report and VirusTotal, it appears that quake-cli-tools is the set of binaries triggering the Windows Defender alert.

Interestingly, someone also mentioned the same issue with this tool on Reddit a few days ago.

I will keep investigating this matter and contact Joshua.

[jonathanlinat]

@jkr4m3r

After looking into the matter, I suggest adding these binaries to the Windows Defender exclusions list. This approach is common for new executables and should eventually prevent them from being flagged by the system and being deleted.

One of the possible improvements I can make in the near future is to digitally sign the recently built binaries before releasing them: https://cheapsslsecurity.com/blog/code-signing-101-how-to-sign-an-exe-or-application/

References

• https://stackoverflow.com/posts/77266884/revisions
• https://answers.microsoft.com/en-us/windows/forum/all/windows-defender-deleting-my-own-applications/65b96548-e411-42b0-8ce1-ae28f46eb9a1
• https://www.tenforums.com/tutorials/5924-add-remove-microsoft-defender-antivirus-exclusions-windows-10-a.html
• https://www.thewindowsclub.com/manage-quarantined-exclusions-windows-defender-security-center
• https://answers.microsoft.com/en-us/windows/forum/all/how-to-stop-windows-defender-from-deleting-a/f4e3641a-5598-495d-b2a5-bd6ead226071

[jonathanlinat]

Another possible alternative would be to use cx_Freeze instead of PyInstaller to compile quake-cli-tools.