Closed Comnenus closed 3 years ago
I just checked on my Windows machine and it too early this morning has detected extraterm.exe
as being a threat.
For who ever might be interested, extraterm.exe
is a small program writen in Go which is also built via GitHub actions and pulling directly into the Extraterm build when it runs on Azure. The code and binaries for it come from here: https://github.com/sedwards2009/extraterm-launcher
I'll look into this closer later today.
Edit: Just to be clear. I have no reason to suspect that this is anything other than a false positive on the behalf of Defender.
For those who are affected by this and want get a terminal running, you can directly run extraterm_main.exe
inside the Extraterm installation folder.
Virus Total scores extraterm.exe
as follows: https://www.virustotal.com/gui/file/9fa7e81ada96fb334d2ab48c73ea047c9f6901ff6d1a2fc1a567e0389f4227dd/detection
16/68 anti-virus programs are flagging it.
Flagging Go programs as viruses seems to be a common problem: https://golang.org/doc/faq#virus
I've tested some of the versions of extaterm.exe
(the launcher exe) on virustotal.com and against Microsoft Defender running locally. These are the built binaries from Releases at https://github.com/sedwards2009/extraterm-launcher
Virus Total: 16/68 flagged as dangerous
Microsoft Defender: Trojan:Win32/Zpevdo.B 🔴
Virus Total: 21/68 flagged as dangerous
Microsoft Defender: OK 🟢
Virus Total: 13/68 flagged as dangerous
Microsoft Defender: OK 🟢
A lot of these virus checkers use heuristics to judge whether an executable is a threat or not. The result on Virus Total seems to be a bit random and it hard to tell what does or does not, trip a virus checker.
v3 used in Extraterm 0.59.1 does have an interesting change which might explain why Microsoft Defender is upset. v3 looks up the process info of another process running on the machine which may look suspicious. (The launcher is trying to see if the Extraterm main exe is still running at the process ID from file ipc.run
.)
The plan now is to remove that process look up and use a different way of check if the main exe is running. Hopefully that will get us under the Defender radar.
The new version of the launcher exe (v4) is now ok by Microsoft Defender and scoring 10/61 flags on Virus Total, which is an improvement. https://www.virustotal.com/gui/file/1ece52359d0796eeca88583c7a975fa0026d2fe1a8d5a51dc79cdcb80a4d80e4/detection
Fixed in v0.59.2.
Thank you!
Windows Defender is detecting this virus on extraterm.exe on install: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan:Win32/Zpevdo.B&threatid=2147729093