stascorp / rdpwrap

RDP Wrapper Library
Apache License 2.0
14.79k stars 3.84k forks source link

v1.6.2 is showing viruses/trojans by several virus scanners #277

Open signal15 opened 7 years ago

signal15 commented 7 years ago

15/58 virus scanners are showing malware in this package. In v1.6, they also showed 5/58. Something shady is going on with this package. See virus scanning results here:

https://www.virustotal.com/en/file/fed08bd733b8e60b5805007bd01a7bf0d0b1993059bbe319d1179facc6b73361/analysis/1498759251/

Some of these look like they are specifically detecting rdpwrap, but some look like they are detecting WisdomEyes and other malware.

Also, the latest version of Chrome on Windows refuses to download v1.6.1 saying that it is "dangerous". It does download v1.6 just fine though.

binarymaster commented 7 years ago

Well, maybe if I change the behaviour of installer not to enable RDP by default after installation, it will be more secure, and those AVs would be more quiet.

da2x commented 7 years ago

It’s the behavior of the installer that is triggering the problem. The installer is a newly installed program that goes and download an INI or DLL, right? (Or anything over TLS.) Well, that is malicious behavior (at least that is how antivirus vendors see it). Digitally sign the installer with a code signing certificate. Then you can contact reach antivirus vendor individually and request that your signature is added to a whitelist.

Alternatively: don’t download stuff off the web right away. Do auto-update like behavior and wait a week before you start downloading resources. This require that everything is bundled in the installer, however.

signal15 commented 7 years ago

Why not just package the DLLs/INIs with the installer instead of having them downloaded when the installer is run?

In any case, I cannot even get v1.6.1 to download via Chrome, and if I download with another browser, our corporate AV solution flags it and deletes it, and then a ticket gets opened and an investigation is launched. I can have them whitelist the hash, but that would require at least a couple of hours of someone's time to verify in a sandbox that the tool is safe. I'm sure many others are facing the same issues as I am.

binarymaster commented 7 years ago

Why not just package the DLLs/INIs with the installer instead of having them downloaded when the installer is run?

They are already built-in. Online installation is optional feature and controlled by command-line arguments.

signal15 commented 7 years ago

If you made enabling RDP a checkbox option, I wonder if that would get around some of it as well.

The1andONLYdave commented 7 years ago

//edit:nvm, sorry for triggering notifications - i totally missed that it is mentioned in the last sentence of the first post.

Also flagged by Current Stable Chome on Windows as malware/malicious download. Maybe you can file a request here https://support.google.com/webmasters/answer/3258249?hl=en

da2x commented 7 years ago

(There are no exception for unsigned programs … it’s the certificate that is excluded not the software.)

psommerfeld commented 7 years ago

Any update on this? Chrome is still blocking the download.

maxim commented 7 years ago

In chrome after download refuses to start click the "Show All" and there click "keep anyway".

goozleology commented 7 years ago

So, when downloading 1.6.1, Chrome blocked it. However, I went to Settings >> Downloads and was able to get Chrome to download it. However, when I tried to install it, my Malware detector, Bitdefender, also blocked it. Can you confirm that the download and install is safe?

binarymaster commented 7 years ago

Can you confirm that the download and install is safe?

How I can do it? It's a matter of trust, since you're downloading it from official repo ( https://github.com/stascorp/rdpwrap/releases ).

If you don't trust the binaries, you'll need to build it from source. If you don't trust the code, I don't know how to help you.

affinityv commented 7 years ago

@binarymaster you can provide a sha256sum or better still, you can provide a .sig file using a GPG key? And provide your GPG key's fingerprint for verification. There are still trust issues, but if you establish a good reputation with a GPG key, then it can be very much worthwhile. You can also create an account as keybase.io and verify your Github account through that, as well as verify your GPG key; then provide details of your fully verified keybase.io account.

affinityv commented 7 years ago

@binarymaster you can provide a sha256sum or better still, you can provide a .sig file using a GPG key? And provide your GPG key's fingerprint for verification. There are still trust issues, but if you establish a good reputation with a GPG key, then it can be very much worthwhile. You can also create an account at keybase.io and verify your Github account through that, as well as verify your GPG key; then provide details of your fully verified keybase.io account.

distinguished-git commented 6 years ago

Are you having trouble with GPG?

Or maybe you are worry that taking rdpwrap off the malware list will make you a riper target for the M$ legal department?

binarymaster commented 6 years ago

@distinguished-git unfortunately I have no free time to work on that.

BigMikeC commented 6 years ago

The latest version has triggered even more virus alerts on Total Virus. It has now risen from 15 to 19 with some of the most commonly installed AV suites blocking RDP Wrapper including, as said above, Google Chrome. It is a superb utility and we need to assist binarymaster in getting it in a format that does not trigger such serious trojan and malware warnings.

binarymaster commented 6 years ago

Just for curiosity's sake I rechecked all binaries in release, here are results:

BigMikeC commented 6 years ago

The problem is! Binarymaster, is that those 18 anti malware scanners are amongst the most popular products and it leaves a huge number of users unable to install the files or try to create a quarantine exceptuin

binarymaster commented 6 years ago

huge number of users unable to install the files or try to create a quarantine exception

Since the project is targeted at system administrators and experienced users, this is not so huge.

YisroelTech commented 6 years ago

Honestly, what people concerned about this can do is report the detection to the AV vendors as false positives. Here is my pretty successful try with Kaspersky (that I'm using personally as AV): img_20180104_010746

asulwer commented 6 years ago

I think the issue is the virus scanners you are using. Where is the virus binarymaster snuck in? go look at the source code that he has kindly provided and show it to me! most of the complainers are just trying to get hits on the search engines so people will stop using this. who do these complainers work for? Microsoft or an affiliate? I have personally downloaded and compiled the source, which is how I am using this package. if you are concerned then do it that way. binarymaster is not getting paid!

YisroelTech commented 6 years ago

@asulwer, stop accusing people as working for someone etc...

People aren't "complaining" they are just "asking" if there's a possibility to have this assume tool being more easy to use for the layman who isn't proficient in excluding or bypassing their AV.

But as binarymaster correctly pointed out, this project is targeted for experienced users and it'll take too long for him to work on this issue.

But the community can certainly try to help by reporting this as a False Positive to the AV vendors.

BigMikeC commented 6 years ago

To confirm what Asulwer just stated. Nobody is complaining and we all agree its a superb utility. We also all agree that the Virus scanners (18 out of 66 of them) are being far too sensitive to some aspect of the program and generating a false positive. Those 18 are some of the main anti-virus programs. The idea is to see if we can assist by either flagging it as false positive with each individual software provider or helping with another apsect in the coding or dll's.

binarymaster commented 6 years ago

Some news: I've contacted Dr. Web support manager to resolve false positive alert from their product, and they answered me that problem is solved now (I hope so).

image

guebert commented 6 years ago

PMFJI: I can install v1.6.1 with GData Scanner active (and run update.bat) but can't install v.1.6.2 as is it recognized as malware.

v1.6.1 https://www.virustotal.com/#/file/ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753/detection

v1.6.2 https://www.virustotal.com/#/file/b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c/detection

I'd be glad for an official whitelisting by GData.

Michael

hkvega01 commented 6 years ago

My computer was inflected cyssis ransomeware after installed this

binarymaster commented 6 years ago

@hkvega01 don't download stuff from third party sites.

salmmm22 commented 6 years ago

I downloaded directly from the GitHub page. I understand the confusion when it comes to antivirus and malware detection, but what about popups the next day? They included:

Threat: HKTL_RADMIN
Source: Spyware
Affected Files: C:\WINDOWS\Installer\43fb44.msi

HKTL_RADMIN

Threat: HKTL_RADMIN
Source: Spyware
Affected Files: C:\Users\salmm\D…8-1f0acd3cf0d6.tmp
Threat: HKTL_RADMIN
Source: Spyware
Affected Files: C:\Users\salmm\D…-ffba838dbd0a.tmp
Threat: HKTL_RADMIN
Source: Spyware
Affected Files: C:\Users\salmm\D…-ec11e3e946ec.tmp
tzeejay commented 6 years ago

First of all I'd like to say thank you for creating and maintaining this. I come from the Mac/Linux side of computing and hadn't touched a Windows machine in probably a decade. The software works great but the warnings really had me checking the links multiple times to make sure that I don't download something that will mess with my server.

In order to combat this and appear a bit more credible I'd like to see everything code signed and SHA256 hashes published alongside the downloads. That way one can easily verify the downloads and those tasks can be automated. I understand that this is overhead and you may not have time to do it right now but it may be a good way to indicate that this software isn't malware.

Thanks again and hope that you'll find a solution that works for you 👍

mlt commented 5 years ago

Here is a friendly reminder for those like @hkvega01 (and myself) landing on this page, the software itself is alright. Here is an article that roughly matches the timeline https://www.zdnet.com/article/fbi-warns-companies-about-hackers-increasingly-abusing-rdp-connections/ . Long story short. Have strong passwords and limit allowed IPs with firewalls and such. Changing default port is not a solution!

bunchp commented 5 years ago

Problem is we really can't trust that you have verified that you haven't been hacked or something. You really need to get this fixed or give it up. No developer should ask people to just trust that there is no virus...

darkoverlordofdata commented 5 years ago

I'm blocked by chrome also. I would build this myself, I've been a developer for years, but I don't find any instructions in the website. It appears to be written using Pascal - I have no experience with pascal, that renders me a noob. How about some build instructions - does anyone have those?

darkoverlordofdata commented 5 years ago

Ah - I missed this:

Building the binaries: x86 Delphi version can be built with Embarcadero RAD Studio 2010 x86/x64 C++ version can be built with Microsoft Visual Studio 2013

the only issue there, is those cost more then the windiws 10 home upgrade that this replaces... given the long list of open issues with this software, that doesn't sound like a good idea. Guess I'll just pay my money to Microsoft and get the real thing.

affinityv commented 5 years ago

Everyone blocked by Chrome, stop using spyware browser! Download direct with wget or with a better browser.

onebod commented 5 years ago

I'll try sending to McAfee as a false positive - that's what we pay them for - not circumventing their input - they need to get it right, or binary master needs to sign it properly or get it to behave in a way AVs will tolerate.

jas-glitch commented 5 years ago

Is there a solution/work around to being able to get RDPConf.exe to stay on a machine...McAfee keeps removing it as a 'virus'

cowwoc commented 5 years ago

@jas-glitch All anti-viruses have an exception list. Add RDPConf.exe to that list.

jas-glitch commented 5 years ago

@jas-glitch All anti-viruses have an exception list. Add RDPConf.exe to that list.

thanks, unfortunately, we are part of a much bigger governing body, so this will not happen :(. thats o, I'll keep a zipped version of it somewhere as I only use it when RDPWrapper breaks, and see if i can run it enough to see what the problem is...otherwise, I'll just have to work through itmanually

daveybops commented 4 years ago

Similarly, Firefox warning "This file contains a virus or malware". EDIT: Antivirus apps (and Firefox) detecting this as a virus maybe due to the fact it has been used by attackers https://news.softpedia.com/news/danabot-banking-trojan-moves-to-europe-adds-rdp-and-64-bit-support-522842.shtml . I remember when many of nirsoft's apps were reported as "viruses" I assume for the same reason. BTW, someone opened another ticket 2 hrs ago, #1047

ntlug commented 4 years ago

In all fairness, while we can blame non-Microsoft AV, even Microsoft labels components of RDPwrapper as SEVERE with regards to risk. While I would like to see Microsoft spend more time vetting their (bad) patches to Windows 10, Microsoft instead has made the elimination of RDP Wrapper their chief priority. Personally, I'd get this project out of github (the new strong arm of Microsoft's empire).

Microsoft labels RDP Wrapper at the top of high risk software you might have installed on your computer.

affinityv commented 4 years ago

@ntlug -- Not my quote....

"....exposure to Windows causes brain damage and that its use in the corporate workplace should be considered an OSHA violation."

I would extend that to other Microsoft property and I too would love to see projects exiting Github to a property owned by an actual and real supporter of open source.

The quote come from this debian-user thread: https://lists.debian.org/debian-user/2020/08/msg00714.html

grindhousewoody commented 3 years ago

To those interested in trying the MSI you can download it with TOR browser and disable auto app deletion in windows.

EliezerBee commented 1 year ago

Bitdefender flagged 5 files:

  1. S:\ALL DATA\Eliezer\Downloads\RDPWInst-v1.6.2.msi
  2. S:\ALL DATA\Eliezer\Downloads\RDPWrap-v1.6.2.zip
  3. C:\Program Files\RDP Wrapper\rdpwrap.dll
  4. C:\Windows\Installer\2d0161.msi=>(Embedded CAB)=>RDPWInst
  5. C:\ProgramData\Package Cache\{37ea5771-3352-4a52-9fac-9297331daebd}\RDPWInst.exe

I easily whitelisted the first 3. But the 4th and 5th don't have a clear name or predictable path with which to whitelist. How can I whitelist those?

And it categorized all those files like this: threatType="6" threatName="Application.RemoteAdmin.RHU"

cowwoc commented 1 year ago

@EliezerBee You'll need to add a parent directory to the exclusion list. Added folders exclude all nested files and directories.

EliezerBee commented 1 year ago

I would be afraid to just whitelist these:

essentially saying any malware that deposited files anywhere therein have a green light. Wouldn't you agree that's highly risky? I'm trying to find out if Bitdefender supports wildcards.

cowwoc commented 1 year ago

Are you trying to automate the install process? If so, run a script that finds the exact absolute path and whitelist only that. If you're not automating, do this work by hand and whitelist the full path again.

EliezerBee commented 1 year ago

No, I'm not trying to script or automate anything. I'm simply trying to whitelist RDPWrap on one computer so that Bitdefender doesn't attack RDPWrap with every scan.

It deleted the files from these two locations:

I had trouble manually copying the files back there, due to permissions. Should I change the permissions and copy the files back there?

Are these even valid paths ("2d0161" and "{37ea...}") for me to whitelist?

cowwoc commented 1 year ago

Honestly, I don't know. I'm just an end-user and I also don't use Windows Defender so I've never actually run into the problem you mentioned.

This problem is not specific to this project. I recommend looking for help on Google or Youtube. Other people must have the same problem.

EliezerBee commented 1 year ago

Understood, and you're correct. But just for the record, I'm not asking about Windows Defender. I'm asking about Bitdefender free.

EliezerBee commented 1 year ago

Well, maybe if I change the behaviour of installer not to enable RDP by default after installation, it will be more secure, and those AVs would be more quiet.

This would be a great idea, actually. That's easy enough to document and for users of RDPWrap to do. And it would make people calmer since every AV wouldn't be alarming.