capa 7.0.1 for Windows appears to Windows Defender as a trojan.

[RionEV]

Description

Capa 7.0.1 for windows appears to be detected by Windows Defender as a trojan, of type Trojan:Win32/Vigorf.A or as Backdoor:Win32/Bladabindi!ml. Virustotal analysis on the same engine further detects it as Trojan:Win32/Agent!MSR.

Steps to Reproduce

1. Download Capa 7.0.1 from the Releases page

Expected behavior:

I expect that the .zip archive is not immediately detected as a threat.

Actual behavior:

The .zip archive is immediately detected as a threat, without being run. Confirmed on two different systems.

Versions

Capa 7.0.1

Additional Information

I have searched both open and closed issues for related issues and have seen a similar report already, dated mid-2023. I am making this report as a matter of due diligence regardless of its relevance, and to potentially prompt a quick check to validate that it is still safe, as I have found this tool useful in the past and would like to be sure it is still safe to use.

I would appreciate confirmation as to whether this is a false positive, and how this might have happened. The file was detected as a threat without being run or extracted. Virustotal's behavioural analysis is included here. The full Zenbox report also suggests the presence of an Xmrig miner. https://www.virustotal.com/gui/file/05bac209f50302308e37eb658fe36a40418aa9c37f57d440355706e13cabc43d/behavior

Previous issues have been addressed c/o williballenthin who has indicated that this is potentially the result of sandboxes string-matching the pyinstaller component, but as this matter has been addressed previously and has returned, at the very least it may be worth notifying VT once more to have its status verified so that this does not happen again.

Something I have not seen in previously reported issues is that Zenbox seemingly reports a connection to a "low reputation URL"

http: // crl.us.strtokstrtok_sucrtbase.strtok_sstrxfrmucrtbase.strxfrmtolowerucrtbase.tolowertoupperuc
from-memory reputation: low from: capa.exe, 00000006.00000003.995859026.0000017C1AF21000.00000004.00000020.00020000.00000000.sdmp

Additionally, the report suggests that Capa scrapes FTP Login Data. I cannot begin to speculate on how or why this would be detected, but I would like to raise it to your attention in the event it is something of concern. The former case - the URL - may also be a string-matching issue.

Thank you.

[mr-tz]

I suspect the false positives stem from capa's packaging (via PyInstaller) and/or the embedded rules (containing unusual features such as strings related to the detections you've mentioned).

For what it's worth, the Linux (https://www.virustotal.com/gui/file/ddb02f6cc5001e65dd54670313c4fff8374c1c4fbc69aa270df312618c832c3a) and macOS (https://www.virustotal.com/gui/file/a9d68e26cf7c42dc9bacee34e7f8f0ca9d2b3a75a3edaf77a0e569dcdfd6a918) releases have no malicious detections.

[RionEV]

Your response encouraged me to review the Zenbox report again to make absolutely certain I didn't misread it; I was about to say "this doesn't seem to account for the URL", but on review I've realized that the Zenbox report only states that there are URLs stored in the application's data.

The only thing that remains now is the suggestion that FTP credentials are at risk - that one, I don't understand. Would an antivirus engine claim to observe that behaviour if it is only matching PyInstaller's packaging and rules?

[mr-tz]

There are rules to detect the collection of FTP-related information. Looks like that's what is picked up here?

[RionEV]

RIght, I must have misunderstood; I thought "Dropped Info" was offloaded to a remote device, not installed locally. Thank you for clarifying the report, I greatly appreciate that.

Not fully sure of this issue tracker's etiquette, so I think it best to allow you or another contributor to close the issue. Thank you again for your assistance.

[RionEV]

Actually, before the issue is closed, is there a false positive reporting process for Windows Defender and the other three engines that can be pursued to prevent this causing trouble for new users, or is this expected enough that it can be put perhaps into an FAQ for the program on this github project?

[sasobadovinac]

I reported this to Microsoft as a false positive on Feb 26 via https://www.microsoft.com/en-us/wdsi/filesubmission and the answer from their analyst was ...

Analyst comments:

We have determined that the files meet our criteria for malware. At this time the detection will remain in place.

More detailed information about the approach and criteria categories currently used by the Microsoft researchers are available here: https://docs.microsoft.com/windows/security/threat-protection/intelligence/criteria

Thank you for contacting Microsoft.

Here also the detection of the exe on VT https://www.virustotal.com/gui/file/9e3383e156bcbb0b845fd2187f9ce585db58ba31d1c5a139d1fa4e9183a5e9de

[RionEV]

Well, at the very least it's good to see that Microsoft is as concerned as ever with upholding their reputation. Whether that's me being complimentary or not shall remain the reader's choice.... Zenbox report for the exposed EXE matches that of the ZIP - with the exception that it reports even more safety-compliant activity than the zip does. Selfish as it might sound, I'm at least satisfied that it's not harmful, and seeing as my principal concern is my workstation that's all I can really hope for. Many thanks to both of you.

[mr-tz]

Thank you! I've also created an issue to add notes on this to our documentation for future reference.