Closed gtwy closed 11 months ago
Yeah, that's a false positive. The "ml" stands for machine learning I think?
pageant.exe is now flagged with Wacatac.B!ml
I can no longer run this on my work laptop. Could you please submit your files beforehand to avoid this from happening in the future?
Additionally pageant.exe seems to be contacting an IP address with reputation issues:
https://www.virustotal.com/gui/file/98b1126c6cbf6b007afedc35bf30bebe72e557d7af419bec2a7b8aafe15715d1/behavior https://www.virustotal.com/gui/ip-address/23.216.147.64
I find it pretty odd if it is communicating with any IP addresses. I did a packet capture and could not replicate this, though. At least not with that IP address.
pageant.exe is now flagged with Wacatac.B!ml
I can no longer run this on my work laptop. Could you please submit your files beforehand to avoid this from happening in the future?
I've submitted both the file- and the Registry-based pageant.exe and putty.exe releases.
Additionally pageant.exe seems to be contacting an IP address with reputation issues:
https://www.virustotal.com/gui/file/98b1126c6cbf6b007afedc35bf30bebe72e557d7af419bec2a7b8aafe15715d1/behavior https://www.virustotal.com/gui/ip-address/23.216.147.64
That's definitely incorrect, as is much of the other information on that site concerning pageant.exe, e.g. "Keylogging T1056.001 log keystrokes via polling", etc. Neither the PuTTY upstream nor my own code in Pageant contacts any such IP address or even any host at all except for those explicitly specified by the user.
Note that the newest putty.exe that fixes the crashing issue isn't in the latest release yet
It's quarantining it for this reason. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Script/Wacatac.H!ml
Not sure what it means. Is it a false positive?