Trojan infection

[msaracevic]

Bug Report

Downloaded from https://github.com/pyfa-org/Pyfa/releases the win.zip version. It was flagged as Trojan infected file

Expected behavior:

Expected not be flagged / infected

Actual behavior:

It was flagged as infected and removed by windows defender

Detailed steps to reproduce:

Download win.zip package and unzip it

Other relevant information:

[DarkFenX]

Which antivirus is that?

This is scan from virustotal, fully clean (no false positives even, I am surprised): https://www.virustotal.com/gui/file/b2ee359942d62f076960d6b76aae2b64d727245e982853c6ffcba2218177a5ed

edit: oh, it's zip distribution, scans for zip itself (in progress) and enclosed exe

[msaracevic]

It's win defender

[DarkFenX]

This is scan of pyfa.exe from v2.57.3: https://www.virustotal.com/gui/file/01ab090f4538d2f7e4aa761996db926d904db8dba408ee860ed82d3a472d8840

Defender doesn't show an alert, idk why. My guesses would be is that either bump of a dependency changed MS defender reaction, or something has changed in defender algorithms. Or, since pyfa app code is bundled with that file, it could be changes in pyfa code which triggered it.

I will go through commits made between releases and figure out which one was first faulty one, but it will take time.

[msaracevic]

This version flagged it for me, quarantined the exe file after trying to run it and asked if it should quarantine or remove the .zip

[DarkFenX]

Rebuilt the first commit after 2.57.3, build is here. Uploaded .zip exe to virustotal, the same result as for 2.58.0. Seems like a false positive to me, I am unsure what I can do (aside from starting signing binaries to avoid that, I've seen some claims eve self-signing helps but that does not sound right to me).

[msaracevic]

I've ran the installer in win11 virtual machine and it was fine, so seems that just the .zip one is problematic on my system...

Oh well, anyways, feel free to close considering that nobody else reported to same...

[DarkFenX]

I've ran the installer in win11 virtual machine and it was fine, so seems that just the .zip one is problematic on my system...

Those are the same binary, just packed differently:

$ md5sum ~/Downloads/pyfa-v2.58.0-win/pyfa.exe
d42bde935f973aff9db62326471c850e  /home/dfx/Downloads/pyfa-v2.58.0-win/pyfa.exe

vs

$ md5sum ~/.wine/drive_c/Program\ Files/pyfa/pyfa.exe
d42bde935f973aff9db62326471c850e  /home/dfx/.wine/drive_c/Program Files/pyfa/pyfa.exe

You can check it yourself. If defender does not complain about .exe from installer, chances it was whitelisted, and .exe in .zip won't be a problem either.

edit: to clarify, you ran just an installer, not installed app?

[msaracevic]

To answer the last question from edit.

All the issues above arose from .zip package, after unpacking it on my win 10 machine and starting the exe, it was marked as detected trojan and auto quarantine from windows, the exe was then gone from unpackaged files.

I've ran full scan after that and it also found the same flag in the original downloaded .zip file and asked me if I wanted to quarantine or remove.

After that, I've downloaded fresh Windows 11 image, loaded it up in WMWare, downloaded the actual installer and ran it inside the virtual machine without any issues.

[DarkFenX]

Well that doesn't make any sense whatsoever (since pyfa.exe is identical in both packages). Try updating AV definitions in VM'd windows and see if it detects anything?

[msaracevic]

Ok, downloaded .zip again in virtual machine as well, got flagged

So installer is passing, .zip archive is not passing

EDIT: Using this image from windows https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/ WMWare, imported, installed updates, restarted, otherwise vanilla

[DarkFenX]

Ok then two more guesses:

1) It might be treating them differently based on their location. You could check it by placing .zip contents into location used by installer (in program files) 2) It somehow establishes link to pyfa project by tracking where .exe installer is downloaded from, then seeing that pyfa.exe gets extracted from it, and this source already has some reputation built in MS databases (but it doesn't make much sense w/o signed executables)

Either way I can't see how I can do anything. If you want to go around warnings just use .exe installer.

[KanoCodex2]

I am having the same issue, both with the zip and the exe installer.

[tmckzs]

Trying to install from the .exe

[Vironsusi]

I am having the same problems with both with the ZIP and EXE, Windows Defender just auto quarantines and deletes them. Quite puzzling.

[Vironsusi]

I did a Triage analysis and while it does say that pyfa is dangerous due to it being a Python installing app it doesn't have anything that should raise flags as its just doing the Pyfa thing and nothing else best I can tell.

[Poetess4Crypto]

With MD5 d42bde935f973aff9db62326471c850e

https://www.virustotal.com/gui/file/187a9be2abb2867ce049608806d4afd2c4765377729cbfba380b09a59d1c643f/detection

[RotusMaximus]

While the file still seems to get false flagged by the same anti-viruses on virustotal, Defender does not seem to flag it anymore (at least for me, this includes both the .exe and .zip release). Maybe some of the other originally affected can re-check as well.

[Vironsusi]

The issue seems resolved, for me at least. I extracted 2.58.0 from the zip I downloaded on release day, and one from today, and got no Windows Defender response beyond the 'Unknown Publisher' prompt, which is not unusual. So it seems the issue may have been on Windows end and my be resolved.

[DarkFenX]

Either they whitelisted it or updated their detection algorithms. Anyway, closing the issue and praying it does not reappear with next release (and it might, because there is new binary every time).

Thanks for your reports.