search

mhammond / pywin32

Python for Windows (pywin32) Extensions
5.01k stars 793 forks source link

win32crypt.pyd => Trojan: Artemis!5390ADE0ED54 #2076

Closed xiaoguazh closed 6 months ago

xiaoguazh commented 1 year ago

Use VSCode 1.80.0 + Python 3.11.4 on Win10, try to run the most simple python code with "Run in Interactive Window", got Threat message from Trellix: win32crypt.pyd => Trojan: Artemis!5390ADE0ED54, see the screenshot. It seem VSCode will install Jupyter plugin, and this plugin requests pywin32.

image

win32crypt.pyd without Trojan.

Trellix Agent: 5.7.9.139 Trellix Endpoint Security: 10.7 VScode 1.80.0 pywin32 306

Run any python code with "Run in Interactive Window"

Python 3.11.4

Name: pywin32 Version: 306 Summary: Python for Window Extensions Home-page: https://github.com/mhammond/pywin32 Author: Mark Hammond (et al) Author-email: mhammond@skippinet.com.au License: PSF Location: C:\Users\garyzhao\AppData\Roaming\Python\Python311\site-packages Requires: Required-by: jupyter_core, plumbum

mhammond commented 1 year ago

That's going to be a false positive.

xiaoguazh commented 1 year ago

That's going to be a false positive.

Thanks so much mhammond for the comments.

I also suspect very likely the Trellix wrongly reports this alert. or something like Jupyter plugin in VSCode is tamperred? and it downloads a tamperred win32crypt.pyd from somewhere ?

Avasam commented 6 months ago

Issues like this are gonna be antivirus false-positive and/or due to download from a different source than pywin32's official distributions. (same as #2135)