Extraterm 0.59.1 detected as virus by Windows Defender

[Comnenus]

Windows Defender is detecting this virus on extraterm.exe on install: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan:Win32/Zpevdo.B&threatid=2147729093

[sedwards2009]

I just checked on my Windows machine and it too early this morning has detected extraterm.exe as being a threat.

For who ever might be interested, extraterm.exe is a small program writen in Go which is also built via GitHub actions and pulling directly into the Extraterm build when it runs on Azure. The code and binaries for it come from here: https://github.com/sedwards2009/extraterm-launcher

I'll look into this closer later today.

Edit: Just to be clear. I have no reason to suspect that this is anything other than a false positive on the behalf of Defender.

[sedwards2009]

For those who are affected by this and want get a terminal running, you can directly run extraterm_main.exe inside the Extraterm installation folder.

[sedwards2009]

Virus Total scores extraterm.exe as follows: https://www.virustotal.com/gui/file/9fa7e81ada96fb334d2ab48c73ea047c9f6901ff6d1a2fc1a567e0389f4227dd/detection

16/68 anti-virus programs are flagging it.

[sedwards2009]

Flagging Go programs as viruses seems to be a common problem: https://golang.org/doc/faq#virus

[sedwards2009]

I've tested some of the versions of extaterm.exe (the launcher exe) on virustotal.com and against Microsoft Defender running locally. These are the built binaries from Releases at https://github.com/sedwards2009/extraterm-launcher

Tag: v3 - in Extraterm 0.59.1

Virus Total: 16/68 flagged as dangerous

https://www.virustotal.com/gui/file/9fa7e81ada96fb334d2ab48c73ea047c9f6901ff6d1a2fc1a567e0389f4227dd/detection

Microsoft Defender: Trojan:Win32/Zpevdo.B 🔴

Tag: v2 - in Extraterm 0.59.0

Virus Total: 21/68 flagged as dangerous

https://www.virustotal.com/gui/file/745b48aac88788c3b1d061945e93722e345301d78b54a9e9db3da197973bf3fa/detection

Microsoft Defender: OK 🟢

Tag: v1

Virus Total: 13/68 flagged as dangerous

https://www.virustotal.com/gui/file/377a1edc2125c42d8a47456a0a4a0c59faed40fd18fb3a2cbfd2c93a13dfac7f/detection

Microsoft Defender: OK 🟢

[sedwards2009]

A lot of these virus checkers use heuristics to judge whether an executable is a threat or not. The result on Virus Total seems to be a bit random and it hard to tell what does or does not, trip a virus checker.

v3 used in Extraterm 0.59.1 does have an interesting change which might explain why Microsoft Defender is upset. v3 looks up the process info of another process running on the machine which may look suspicious. (The launcher is trying to see if the Extraterm main exe is still running at the process ID from file ipc.run.)

The plan now is to remove that process look up and use a different way of check if the main exe is running. Hopefully that will get us under the Defender radar.

[sedwards2009]

The new version of the launcher exe (v4) is now ok by Microsoft Defender and scoring 10/61 flags on Virus Total, which is an improvement. https://www.virustotal.com/gui/file/1ece52359d0796eeca88583c7a975fa0026d2fe1a8d5a51dc79cdcb80a4d80e4/detection

[sedwards2009]

Fixed in v0.59.2.

[Comnenus]

Thank you!