search

radareorg / radare2

UNIX-like reverse engineering framework and command-line toolset
https://www.radare.org/
GNU Lesser General Public License v3.0
20.68k stars 3k forks source link

Windows Defender issues #19114

Open trufae opened 3 years ago

trufae commented 3 years ago

The following files are considered malware, we should make windows builds free from such files, most of the files are in the testsuite, but for r2, the r2agent is still considered a trojan. Which it is.

      file:C:\Users\pancake\Desktop\w32\bin\bin\r2agent.exe quarantined at 9/12/2021 3:47:58 PM (UTC)

Here's the full listing, we shouldn't be distributing malware even if its for a testsuite, and afaik those samples have an empty entrypoint, but this issue is all about checking this and solving those issues

C:\> cd C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0
C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0> MpCmdRun -Restore -ListAll
The following items are quarantined:

ThreatName = PWS:Win32/Zbot
      file:C:\Users\pancake\prg\radare2\test\bins\pe\winmain.exe quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Backdoor:Win32/Guptachar.2_0
      file:C:\Users\pancake\prg\radare2\test\bins\pe\bcc1.ex quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Trojan:Win32/HawkEye.D!MTB
      file:C:\Users\pancake\prg\radare2\test\bins\pe\Reborn_Stub-strings.exe quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = VirTool:Win32/Obfuscator.XZ
      file:C:\Users\pancake\prg\radare2\test\bins\pe\15004.file quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Trojan:Win32/Tnega!MSR
      file:C:\Users\pancake\prg\radare2\test\bins\pe\Lab01-03.exe quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Trojan:Win32/Sabsik.TE.A!ml
      file:C:\Users\pancake\Desktop\w32\bin\bin\r2agent.exe quarantined at 9/12/2021 3:47:58 PM (UTC)

ThreatName = Backdoor:Win32/Idicaf.gen!B
      file:C:\Users\pancake\prg\radare2\test\bins\pe\Lab05-01.dll quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Backdoor:Win32/Neporoot.A
      file:C:\Users\pancake\prg\radare2\test\bins\pe\lab11.malware quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Trojan:AndroidOS/Looter.C!MTB
      file:C:\Users\pancake\prg\radare2\test\bins\elf\libexploit.so quarantined at 9/18/2021 9:50:01 PM (UTC)

ThreatName = Backdoor:Linux/Tsunami.C!MTB
      file:C:\Users\pancake\prg\radare2\test\bins\elf\analysis\dwarf_load quarantined at 9/18/2021 8:48:49 PM (UTC)

ThreatName = Backdoor:Linux/Gafgyt.M!xp
      file:C:\Users\pancake\prg\radare2\test\bins\elf\bashbot.arm.gcc.O0.elf quarantined at 9/18/2021 9:50:01 PM (UTC)
      file:C:\Users\pancake\prg\radare2\test\bins\elf\bashbot.x86_64.O0.elf quarantined at 9/18/2021 9:50:01 PM (UTC)
trufae commented 3 years ago

Needs to be submitted here to resolve the issues https://www.microsoft.com/en-us/wdsi/filesubmission