Windows Defender block download of the release for windows -> Trojan?

[RE3CON]

Please check it seems like a signature string match exactly to a Trojan in AV Database and prevent the download by x86 release. I know its a lot todo to find the matching string in binary to break or bypass the detection but its worth because windows defender comes with every windows installation by default. White listening, making an exeption by contacting the AV devs can take very long if they do it.

[mwlistscom]

Interesting - it's just a compiled verision of the .go - (You can 'go build GetSTRM.go' and build the exe yourself)

US Version :

ClamWIN didn't identify anything:

[mwlistscom]

When I use defender to scan the directory with the EXE itself it does not id anything - Can you verify ?

Seems like a known issue - https://answers.microsoft.com/en-us/windows/forum/all/virus-trojanscriptwacatachml-showed-up-after-i/253da665-1fc3-473c-abc3-0fdfbc6dcaad

Also see -

https://go.dev/doc/faq#virus

[RE3CON]

On a brand new installed Windows 10 pro machine, it gives an matching binary string by Windows Defender as soon downloading the compiled file. Finding the matching AV signature-string inside the executable to change a few bits will prevent the false positive. Maybe the next Version build will from self fix the false alert. Otherwise it needs a lot of time to lookup in AV sigs how this causing troj signature-string looks like for hex compare the exe and search it, change and break matching it.

Jules Potvin @.***> schrieb am Mo., 15. Juli 2024, 15:16:

Interesting - it's just a compiled verision of the .go - (You can 'go build GetSTRM.go' and build the exe yourself)

— Reply to this email directly, view it on GitHub https://github.com/mwlistscom/GetSTRM/issues/1#issuecomment-2228483322, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIOBTKLEFAEUY5OBHNE4JBLZMPDUXAVCNFSM6AAAAABKXN7ZJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYGQ4DGMZSGI . You are receiving this because you authored the thread.Message ID: @.***>

[mwlistscom]

On a brand new installed Windows 10 pro machine, it gives an matching binary string by Windows Defender as soon downloading the compiled file. Finding the matching AV signature-string inside the executable to change a few bits will prevent the false positive. Maybe the next Version build will from self fix the false alert. Otherwise it needs a lot of time to lookup in AV sigs how this causing troj signature-string looks like for hex compare the exe and search it, change and break matching it. Jules Potvin @.> schrieb am Mo., 15. Juli 2024, 15:16: … Interesting - it's just a compiled verision of the .go - (You can 'go build GetSTRM.go' and build the exe yourself) — Reply to this email directly, view it on GitHub <#1 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIOBTKLEFAEUY5OBHNE4JBLZMPDUXAVCNFSM6AAAAABKXN7ZJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYGQ4DGMZSGI . You are receiving this because you authored the thread.Message ID: @.>

Agreed - will obfuscate and build a new release today.

[mwlistscom]

Will have to try some options - I obfuscated v 1.0.3 -but it was stil reported as a virus

[RE3CON]

Still detects as Trojan as Ransomware. For myself no problem, I did an exception but the most users will think its possible danger. Many years ago by programming filesharing clients in c++ I got the same problem even with all possible exe packer and protectors, these which are not easy to unpack.

---

Von: Jules Potvin @.> Gesendet: Montag, 15. Juli 2024 17:52 An: mwlistscom/GetSTRM @.> Cc: Chris @.>; Author @.> Betreff: Re: [mwlistscom/GetSTRM] Windows Defender block download of the release for windows -> Trojan? (Issue #1)

Try V1.0.3

https://github.com/mwlistscom/GetSTRM/releases/tag/v1.0.3

You will still receive a warning about running an unknown binary. The only way to fix that is to obtain a code certificate, which isn't practical due to the cost at the moment.

— Reply to this email directly, view it on GitHubhttps://github.com/mwlistscom/GetSTRM/issues/1#issuecomment-2228837968, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIOBTKIBSZZODPVJR23LTMDZMPV5TAVCNFSM6AAAAABKXN7ZJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYHAZTOOJWHA. You are receiving this because you authored the thread.Message ID: @.***>

[mwlistscom]

Still detects as Trojan as well as Ransomware. For myself no problem, I did an exeption but the most users will think its possible danger. Many years ago by programming filesharing clients in c++ I got the same problem even with all possible exe packer and protectors, these which are not easy to unpack. … ____ Von: Jules Potvin @.> Gesendet: Montag, 15. Juli 2024 17:52 An: mwlistscom/GetSTRM @.> Cc: Chris @.>; Author @.> Betreff: Re: [mwlistscom/GetSTRM] Windows Defender block download of the release for windows -> Trojan? (Issue #1) Try V1.0.3 https://github.com/mwlistscom/GetSTRM/releases/tag/v1.0.3 You will still receive a warning about running an unknown binary. The only way to fix that is to obtain a code certificate, which isn't practical due to the cost at the moment. — Reply to this email directly, view it on GitHub<#1 (comment)>, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIOBTKIBSZZODPVJR23LTMDZMPV5TAVCNFSM6AAAAABKXN7ZJWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMRYHAZTOOJWHA. You are receiving this because you authored the thread.Message ID: @.***>

Same - I tried https://github.com/burrowers/garble -- there was some reddit discussion late 23 that his worked, but seems Microsoft has since fixed it.

[mwlistscom]

I applied for a false positive exception with Microsoft on Version 1.0.2 - When you get a minute can you check if that is still blocked?

[mwlistscom]

We are going to close this issue as we applied for exception with Microsoft on Version 1.0.2. Will look into opensource app signing for a future release.