Microsoft Windows Defender detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A

[alex-purple]

Microsoft Windows Defender 1.417.13.0 detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A

[nickcardwell]

What was the outcome on this? False Positive?

[Tuwase]

[RudiDeVos]

Virus total 6/64 security vendors flagged this file as malicious UltraVNC is flagged as vnc, that indeed is a remote admin app that can be installed as unwanted tool.

AliCloud Backdoor[rat]:Win/UltraVNC.gen DrWeb Program.RemoteAdmin.952 Kaspersky Not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen Rising Hacktool.UltraVNC!8.13A44 (CLOUD) Zillya Tool.UltraVNC.Win32.659 ZoneAlarm by Check Point Not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen Acronis (Static ML) Undetected AhnLab-V3 Undetected ALYac Undetected Antiy-AVL Undetected Arcabit Undetected Avast Undetected AVG Undetected Avira (no cloud) Undetected Baidu Undetected BitDefender Undetected BitDefenderTheta Undetected Bkav Pro Undetected ClamAV Undetected CMC Undetected CrowdStrike Falcon Undetected Cynet Undetected Emsisoft Undetected eScan Undetected ESET-NOD32 Undetected Fortinet Undetected GData Undetected Google Undetected Gridinsoft (no cloud) Undetected Huorong Undetected Ikarus Undetected Jiangmin Undetected K7AntiVirus Undetected K7GW Undetected Kingsoft Undetected Lionic Undetected Malwarebytes Undetected MAX Undetected MaxSecure Undetected Microsoft Undetected NANO-Antivirus Undetected Panda Undetected QuickHeal Undetected Sangfor Engine Zero Undetected Skyhigh (SWG) Undetected Sophos Undetected SUPERAntiSpyware Undetected Symantec Undetected TACHYON Undetected TEHTRIS Undetected Tencent Undetected Trellix (ENS) Undetected Trellix (HX) Undetected TrendMicro Undetected TrendMicro-HouseCall Undetected Varist Undetected VBA32 Undetected VIPRE Undetected VirIT Undetected ViRobot Undetected WithSecure Undetected Xcitium Undetected Yandex Undetected Zoner Undetected

[RudiDeVos]

Microsoft Windows Defender 1.417.13.0 detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A Retested with my local build and thaty's also flagged. Code insite is identical as UltraVNC_1436_X64_Setup.exe or the X86 version that are not flagged Let's hope they correct it, nothing we can do

[VersusBG]

Include digital certificate to the msi installation packet and submit it for malware scan as developer at: https://www.microsoft.com/en-us/wdsi/filesubmission

[RudiDeVos]

ultravnc_1436_x64.msi Submission ID: a84a7d8c-1cf6-413a-b59f-27b6df86e060Status: In progress User Opinion: Incorrect detection Analyst comments: No analyst comment provided.

[RudiDeVos]

Re-uploaded msi files. Signing require different parameters for msi files, re-uploaded with new signing parameters Please verify if it pass now

[VersusBG]

I also submit the file and report it as false positive to MS. It's still In progress.

[RudiDeVos]

Does the new msi (new signing) still trigger the detection

[VersusBG]

It's not about of creating a new msi which will have different hash. It's about Microsoft not to mark the UltraVNC as Trojan:Win32/Vigorf.A but instead to trust your Certificate and mark UltraVNC as Remote Admin software like TeamViewer, AnyDesk, Dameware etc...) So they need to have UltraVNC hash marked in the Antivirus as legit remote admin/ remote support instead of trojan. In my latest submit they approve it and now it's allowed in the new antivirus database but this is only for the old hash.

Tree View ultravnc_1436_x64.msi Not malware Not malware Cloud Not malware Client No malware detected No malware detected Online 1.417.340.0

[VersusBG]

https://uvnc.eu/download/1436/UltraVNC_1436_X64.msi is not detected for me with ms defender 1.417.333.0

[RudiDeVos]

https://uvnc.eu/download/1436/UltraVNC_1436_X64.msi is now signed with a special msi option, signing is now also on the container, not only the files.