xkbcomp.exe Trojan Alert

[FlyinFistOfJuda]

Hello,

I updated VcXsrv via winget from the following source to 1.20.14.0:

Name ID Version Source VcXsrv marha.VcXsrv 1.20.14.0 winget

Defender blocked the xbcomp.exe as Trojan and blacklisted the binary. Detailed Report from virustotal.com: https://www.virustotal.com/gui/file/5e76de6e07913392c7f5d20a0b63305744c784bf1743a2b1c36e5dc9a7ba35e9/detection

Is this a false positive?

Best Regards.

[EnriqueSLHC]

I got it also.

however, i was able to get the debug version.

[JeffsRealm]

Adding to this, this is now being flagged by multiple antivirus vendors as Malicious. Defender, Avast etc.

[JeffsRealm]

So I submitted for Deep Analysis as to why this is getting flagged, somewhere packed inside is a file either created when run or found inside named nshB884.tmp which has no hash signature or the hash for the file is off or unretrievable.

The file has a signature close to a virus they are suspecting it is because it can not be verified. And it is doing some sketchy behavior. Querying a whole lot of system environment variables. from the registry. It fine if they need them but some of these I even question, why does this need them?

Some of those are grabbing computer name not sure why the app needs that then it is grabbing a whole bunch of file explorer settings which are also sketchy, wants to know if files are hidden, if superhidden is enabled if showing internet connection is enabled and so on. So yeah that's what's going on and why it is flagged.

--

In short there is a packed file inside, when ran becomes some temp file that's trying to execute, the file is unsigned or the signature is corrupt, then this file is querying a whole bunch of computer settings and policy setting about the computer name and how explorer is set to hide various things. It doesn't have this has a Virus perse but highly suspicious activity. Again when I ran it for deep analysis I sat there going why does this app need to know how certain files are hidden and set to hide Or where users might redirect certain personal directories. Let the OS handle it, that's what it is there for. You shouldn't be handling that in your code

I have kind of been watching to make sure we do not have anything going on, but over the weekend I have seen Avast, MCAfee, Defender, and Symantic flag this file as virus, some have let go but others still aren't sure. I believe this is a false positive, but still not letting it run in my org. It's kind of sketchy to me why it needs to query 40 different security policy settings in explorer. I do not see it trying to set them or report them or anything like that, nor any of my analytic show this writing files using any evasion, but could be and are used by malware for evasion techniques.

My guess is somewhere some code was grabbed or included in this repo that does this and none of this is really needed or they only needed one or two things but the code gets a whole lot more. Then some virus/malware writer somewhere grabbed the same chunk of open sourced code. Being this is unsigned and has same code signature for this behavior as some virus, it is getting caught up. Could even be some malware came and stole a chunk of code from this repo that is getting all these security policy settings and put it in a virus or malware. That's as much as I can piece together.

the specific product it is flagging is Product: VcXsrv Description: VcXsrv windows xserver MD5: e1c6b939bda5129726d08760944d2060 SHA-1: 6fe7399641d18acfb5b6f2a282c156e8293a5d7a SHA-256: deca7bf4bc321cdb955efb143ad131913ae30df55cac4318d85bc0d6b11aadfd

[DakotaNelson]

FWIW the VirusTotal sandboxes are failing because they don't have libx11.dll installed, so there really isn't much signal there.

As far as network connections, looks like only microsoft/OCSP and NBNS, both of which make sense - at least in the limited analysis VT can provide.

tl;dr this is probably a false positive but I'm concluding that based on a lack of information, because VirusTotal really doesn't have much of anything to go on here.

[A423630]

Any workaround while the issue is fixed?

[golfromeo-fr]

I would suggest to add a link to this issue to the Releases section so noone reports this as shady to github. I can't download any version from the github link either the release of February or May or with the scoop tool. Windows Defender rejects as a virus. I really hope you can fix the issue for the next release :-)