search

lalbornoz / PuTTie

PuTTie loves you 💚
Other
52 stars 0 forks source link

Windows Defender flagging pscp.exe as a virus now... #5

Closed gtwy closed 11 months ago

gtwy commented 1 year ago

It's quarantining it for this reason. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Script/Wacatac.H!ml

Not sure what it means. Is it a false positive?

lalbornoz commented 1 year ago

Yeah, that's a false positive. The "ml" stands for machine learning I think?

SanderGit commented 1 year ago

pageant.exe is now flagged with Wacatac.B!ml

I can no longer run this on my work laptop. Could you please submit your files beforehand to avoid this from happening in the future?

Additionally pageant.exe seems to be contacting an IP address with reputation issues:

https://www.virustotal.com/gui/file/98b1126c6cbf6b007afedc35bf30bebe72e557d7af419bec2a7b8aafe15715d1/behavior https://www.virustotal.com/gui/ip-address/23.216.147.64

gtwy commented 1 year ago

I find it pretty odd if it is communicating with any IP addresses. I did a packet capture and could not replicate this, though. At least not with that IP address.

image

lalbornoz commented 1 year ago

pageant.exe is now flagged with Wacatac.B!ml

I can no longer run this on my work laptop. Could you please submit your files beforehand to avoid this from happening in the future?

I've submitted both the file- and the Registry-based pageant.exe and putty.exe releases.

Additionally pageant.exe seems to be contacting an IP address with reputation issues:

https://www.virustotal.com/gui/file/98b1126c6cbf6b007afedc35bf30bebe72e557d7af419bec2a7b8aafe15715d1/behavior https://www.virustotal.com/gui/ip-address/23.216.147.64

That's definitely incorrect, as is much of the other information on that site concerning pageant.exe, e.g. "Keylogging T1056.001 log keystrokes via polling", etc. Neither the PuTTY upstream nor my own code in Pageant contacts any such IP address or even any host at all except for those explicitly specified by the user.

gtwy commented 1 year ago

Note that the newest putty.exe that fixes the crashing issue isn't in the latest release yet

lalbornoz commented 1 year ago

It is (or should be) actually:

https://github.com/lalbornoz/PuTTie/releases/tag/PuTTie-file-Release-1bfd0b26 https://github.com/lalbornoz/PuTTie/releases/tag/PuTTie-registry-Release-1bfd0b26