Windows Defender reports Trojan:Win32/Spursint.Q!cl in dxgi.dll

[mphartzheim]

I've been using ExplorerPatcher with the square corners for about a week now and today Windows Defender has quarantined the dxgi.dll flagging it as Trojan:Win32/Spursint.Q!cl. A quick google for that suggests this is likely a false positive.

[yetisyny]

This exact same issue just happened to me, too, I had to rename dxgi.dll to dxgio.dll to get it disabled so explorer.exe could run again. Windows Defender is now blocking explorer.exe from running when ExplorerPatcher is installed (at least using the usual install method of dxgi.dll in the C:\Windows directory). We need to get Windows Defender to stop thinking this is a trojan.

UPDATE: I was able to solve the issue by following the directions at https://jackboxgames.happyfox.com/kb/article/28-how-to-whitelist-and-resolve-issues-in-antivirus-software-and-firewalls/ if you scroll down to “Windows Defender” in the “Antivirus” section of the page (below the “Firewalls” section). The directions it gives (revised for ExplorerPatcher) are:

1) Open Windows Defender from the notification area. 2) Select Virus & threat protection. 3) Open Virus & threat protection settings. 4) Scroll down and select Add or remove exclusions under the Exclusions section. 5) Click on Add an exclusion and select file or folder (such as dxgi.dll) you want to exclude. 6) Confirm selection.

You can also find the official directions from Microsoft at https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-security-center-antivirus?view=o365-worldwide#add-exclusions-for-microsoft-defender-antivirus-in-the-windows-security-app on how to whitelist something in Windows Defender.

I have submitted a report to Microsoft about this being a false positive and hopefully their security analysts will agree with me. Since Microsoft actually owns GitHub, they should be able to check out the source code and confirm that it doesn’t do anything bad and verify that the files from this repository are legit and hopefully get it whitelisted.

[joshhuggins]

Yup started seeing this as well which was causing me to not be able to login as I was getting the black screen of death with cursor after login and could not launch Explorer. I was able to get booted in and after a few hours of troubleshooting Windows 11 updates I finally received a notice that defender was flagging it as Spursint.Q!cl. Setting it to be excluded seems to have tamed the Defender beast for now. As others have said thank you for this godsend tool!

[valinet]

Thanks @yetisyny for providing the tutorial. I linked it on this other page that discussed this similar issue: https://github.com/valinet/ExplorerPatcher/discussions/264

And like, what else can I say... hours, days, weeks of hard work for some shitty computer algorithm that decides to behave like this... I mean, I don't know how much more transparent one can be besides this project. I mean, glass is more opaque than ExplorerPatcher... This issue appeared in the past as well with Kaspersky or sth like that.

I'd stop providing binaries tomorrow, as personally I don't need them, they are just for the users to not have to go through the inconvenience of compiling themselves. It's a trust issue, of course I vouch that, consciously at least, what you get in the provided binaries is compiled straight from the code uploaded in the repo.

Other than that, I said this in the past as well, if we find a method to do reproducible builds, I am all in for choosing 3-4 of us, sharing our machines and compiling the latest source code independently, compare the hashes of the obtained binaries and if they're the same, then pretty much either:

• the compiled file actually comes from the source code and is as safe as the source code is, which is fully inspectable (and not malicious, again, it's what I vouch for and this can easily be inspected by people), or
• all our machines are virused, or the compiler is malicious, at which point I think the world has bigger problems than this =)))

[Speedy37]

Why not setup github action to produce builds? I can probably do it if you are interested.

[valinet]

Yeah, why not... As I said multiple times, any contribution is welcome. Thanks.

[valinet]

Why haven't I used that until now? Didn't know about it, and have been and still am busy with other stuff...

[fernando-granco]

Interesting how my Kaspersky also tried to block it, had to whitelist the file as well. While VirusTotal shows no detections: https://www.virustotal.com/gui/file/10176a2d8193cf6a0ed8af83a7de3f3853d1c4fa02f109cda059feb9dc1fc2e4/

It must be that "real time" kind of detection, oh well

[BigheadSMZ]

I also noticed today that Windows Defender started flagging it as a trojan. I immediately set it up as an exception in the settings and all was well.

@valinet: I wouldn't let this situation get you down too much. I know your frustration all too well. I have been working on and off on a PowerShell script to work with custom textures for video game modification for several years now (called Custom Texture Tool PS), and suddenly a few months ago, much of the internet decided it was a "virus". There is really nothing any of us can do about it except leave it up to the users to trust that we are creating software to their benefit, and rely on our reputations and transparency to prove that fact. In my case, I was able to double compress it (zip/7z) to get past auto-detection of file hosting sites, but that only works for sharing it, and wouldn't help your situation.

Allow me to go on a tangent and say this patch is amazing, it makes Windows 11 a usable operating system. It fixes the many flaws that Microsoft was seemingly too ignorant to fix/implement/downgrade. I wouldn't be using Windows 11 right now if not for your amazing work, I was frustrated and ready to downgrade until someone mentioned this on the Stardock Start11 forum. StartAllBack does not work with Start11 (which can restore the Windows 10 style start menu), while ExplorerPatcher works flawlessly with it. ExplorerPatcher + Start11 together has made Windows 11 a valid OS for me.

While it's a shame that corporations want to try and police the distribution of software, users of modern software also have a responsibility to understand that this is taking place. But that also puts a responsibility on us to inform them of that. If anything, when the places I share my script like Mediafire, GoogleDrive, Discord, Dropbox, and even Windows Smart Screen decided to flag my script as something potentially malicious, it just made my resolve to continue developing it stronger, and make people more aware of the current situation of corporations trying to control who gets to write and share software in the name of "security".

I think if enough people manage to upload it to the link below and identify it as a "false positive", the problem may or may not eventually go away. The downside... this would need to be done for every single release. So it may not be a sustainable solution long term, at least not until you could ever reach a point of a "final version". If that's even possible in an OS that will continue to evolve. And who knows if Microsoft would even allow it to be whitelisted since it goes against their "design wishes" as horrible as they are. https://www.microsoft.com/en-us/wdsi/filesubmission

Well, whatever happens, whatever you decide in the long run, thank you for all your hard work. If anything I'm sure it has provided a great learning experience, it's that kind of thing that keeps us going. And that alone is priceless. Sorry for the rant.

[valinet]

@BigheadSMZ Thank you for the support, I appreciate it. I agree with what you said.

That being said, I don't really mind to be honest. They can flag it whatever, I am not going to waste time dealing with it. If I release a new version, what's it going to happen, go though all the hoops again, as you said as well... not sustainable. The slight thing that bothers me is the Internet exploding with everyone opening an issue or asking about this, as if I can do anything about it anyway. And like, I am aware since the first post about it, no need for literally everyone to open a ticket... but whatever.

As I said a couple of times, this project's primary purpose is educational, for people to grab the source code, experiment with it, learn from it and see some techniques for doing this kind of stuff. I also developed so I can improve the situation for my daily use of Windows 11, indeed, and then considering the 2, I decided that sharing it online may benefit others as well in one form or the other. Also, I decided not to merely open source this, but to make it free and develop it in the open; I don't know how much more transparent something can be than this. The source code is fully available, anyone can check it or whatever, compile their own version etc. The binaries are just a convenience. I am not going to go out of my way to build whatever workarounds... to be honest, I don't even have that version anymore. It did not happen on my PC, as I compile it daily so of course the binary changed and maybe the version I have does not even trigger the heuristic anymore... who knows?

It's a trust issue indeed, but as I said, everyone has more than enough tools to make an informed decision. I, for one, am not too bothered by this. Again, thanks for the support.

[slikts]

There must be an upfront warning in the readme about this issue and steps how to recover from situations like #267 where it would look like to many users that the system needs a reinstall to recover.

If it's possible to set up CI pipeline automation for the builds, those would be a trusted source for the binaries. GitHub Actions can run Windows, and the only issue could be whether all the dependencies needed for the build (like Windows SDK) are supported.

In any case, thanks for making ExplorerPatcher; the Explorer in Windows 11 is a downgrade in the worst traditions of Microsoft, where they likely used telemetry data to drop support for features that only power users use, even though they're essential.

[BigheadSMZ]

It might be possible to "work around" this issue with a batch script like this: https://www.mediafire.com/file/r9t84j7rteigcb0/dxgi_allow.7z/file

Its a simple and small script that does the following:

• Upon launch, checks if CMD was launched as administrator.
• If not, it will self elevate CMD to administrator.
• When successful, runs powershell with execution policy bypass.
• Adds "dxgi.dll" and "dxgio.dll" to virus exclusions via command.

While not a perfect solution, it should effectively bypass the issue. Arguments could be made that we should not be trying to bypass these things, but at the same time, arguments can be made that Microsoft should not be flagging harmless software.

If some small "installer" could be made to place "dxgi.dll" into the proper folder, something like this could be launched during installation. Or it could be left up to the user to run it manually before attempting any copying. From my testing, it seemed to work on both Windows 10 and 11, meaning it added the files to the exclusions lists.

[valinet]

Okay, thanks, so, can we integrate GitHub actions with something that makes an installer automatically and uploads it to releases?

[slikts]

From a cursory search, GitHub Actions should support both the VS build tools and Windows SDK, so there shouldn't be anything blocking setting up build and release automation.

[valinet]

Yeah, I clicked the button and saw that as well. What I was interested in is whether the specific thing I asked can be made?

[virgo77]

I was very worried about this Trojan:Win32/Spursint.Q!cl detection, as I thought it was a real infection on my computer. And where I used many Safe Mode Antivirus Scanners and found nothing, I was wondering what was it? And Windows Defender was not able to tell me which file was generating this alert because Explorer.exe crashed too quickly that I lost the usage of my entire computer. So, I was not "aware" that it was because of this little DLL file... and I was very sad. I thought it was a real intrusion (as I read on many posts about this specific Trojan). In about 25 minutes, it was 21 alerts I wasn't able to know more about... Tonight, I'm happy to see my computer working again. And the DLL is still in the folder. So I don't know why Windows Defender was so nervous about this file... hope it will not come again... as I will delete this DLL, then. Hope so not! Thanks for your job :)

[valinet]

You're welcome.

Also, the solution is to whitelist it, as @BigheadSMZ explained above, if you want to use it, for example. I don't understand why you have to stop using a program just because Windows Defender or whoever tells you so. The issue here is with Windows Defender, not with this program.

[virgo77]

Yeah, but I don't want to whitelist many files, because they can be false-positive ones. I prefer to use my system as genuine as possible. Hope you can understand this. So, now, as I know it may be this DLL, if the alert pop again, I will stop using this file, and wait for an update by Microsoft. Maybe if an update will come... And again: good job and interest you give about this soooo lovely old Taskbar! ^^ Good night! cheers

[valinet]

So, to address this situation, I have set up the infrastructure to have the builds be automatically generated on GitHub's infrastructure. Every time a new commit is made, the latest binaries will be compiled on GitHub's infrastructure and a new release with them will be generated and made available. This way, the builds are untouched, plus the added benefit is that releases now always are up to date, in sync with the main repository, since I do not have to publish them manually anymore.

I think this addresses in a satisfactory manner the concerns raised in this issue and similar ones; thus, I will close this for now, and hopefully the files won't be flagged anymore.

Thank you all for the support, tips and collaboration on this matter.

[PELock]

Screw entire antivirus industry big time! My software is the victim of false-positive alerts 15 years in a row. You need to explain to every one of the customer what it is and why it's not my fault... Best way to deal with it would be to sue them... av doesn't give a shit about code signing (no no) or anything like that.

[valinet]

Yeah, it’s my impression too that sometimes (too often) it is used more of a political instrument. Some users are scared away from trying homebrew software with tactics like this, in turn staying with the default option or big players. But if you hinder competition, how do you want to achieve progress…? Not to mention, if I have a problem, my software misbehaves, I get a ticket here and I have a bug to take care of; when this happens with an AV product, it’s called “false positive”, not bug, and people firstly still complain to me, not to the vendor of the actual program causing the trouble: the antivirus developer.

Anyway, I think I’ve done more than enough to address this on my side. I don’t have the resources, on all fronts, to sustain a useless fight with them anyway. If someone starts a bigger movement though, sign me in, although I doubt it, security is the number one concept used these days to actually impede user choice, restrict capabilities, dumb down products etc.

[PELock]

Dude, I sell copy protection software that encrypts executable files (exe/dll), my customers are developers who protects their stuff against cracking. Right now almost all of the AV detects anything encrypted or compressed (like an UPX compressed executable) as false positive detection! Now customers of my customers are afraid to use their software - there is a financial loss. I lose customers, because nobody in their right mind will encrypt their executables just so their customers go to you and scream "IT"S A VIRUS!!!!!!!!!!!!!!".... No easy way. You can send individual files for whitelisting, but the best step would be to sue those companies in a group lawsuit.

[valinet]

Yeah, sad to hear. As I said, it’s clear, it’s a move aimed towards taking control of the software people run too (hardware and the kernel space is mostly “secured”). In the name of “security”.

I wish you the best, idk what else to say. I am sad to hear your story. Ofc, for me here, the situation is infinitely simpler as I don’t sell anything and don’t really care some people are still put off after the situation is explained. But generally, this thing is very bad, you are perfectly right, and for that it makes me angry towards them vendors as well.

As I said, I’d fully support a movement against this trend/behavior. I wonder where are the anti-trust regulators now? Oh yeah, it’s always Microsoft and Internet Explorer, other than that, everything is perpetually fine…

[PELock]

It's gonna look like this in the future

• no individual developers of Windows app
• all Electron/JS based shit eating 16 GB of ram like Spotify or Slack clients
• all software released via their store, highly guarded against political ideas
• all hacking tools forbidden (https://borncity.com/win/2021/10/23/microsoft-signiert-windows-treiber-fr-process-hacker-nicht-mehr/)

Funny, because individual developers and a sea of independent creators made Windows what it is today. Not fucking Office. But an open ecosystem.

But you know how it's gonna end up?

• all software will be SaaS online versions
• any other small software will be Android apps

Microsoft will end up badly and then they will pay ppl to develop shit for Windows again, like they did a few years ago so devs put their shit on their store

https://www.theverge.com/2013/3/19/4124548/microsoft-paying-developers-cash-for-windows-apps

[valinet]

Haven’t read the whole thing about Process Hacker because I don’t need to: I am too familiar with what he describes and I agree 100% with the developer. Repeat, too familiar.

The kernel space in Windows is basically a jail nowadays: only Microsoft can approve what runs there for regular users. Also, ofc they bended in front of the Chinese Communist Party and only license to them this feature that allows for loading of self signed drivers in a truly secure manner (i.e. not putting the whole system in test mode). The way it works is Windows can be set to load drivers signed with the PK of the system when Secure Boot is on, but that is licensed for use only in Windows 10 China Government Edition. Guess why. You can pay however much you want, they won’t license it to us. But yeah, everyone’s politically correct. Fuck them. (I put together a guide/tool with info from others to force enable this for us, in regular Windows versions as well: https://github.com/valinet/ssde).

Also, I am too familiar with the APIs restricted to Microsoft signed binaries only. It sucks big time. Big time. Security-wise it’s stupid, it doesn’t make any sense. It’s masked in that, but truly just anti competitive behavior. Hell, CreateWindowInBand is not a security risk even… I use these extensively in ExplorerPatcher, for the moment, the solution is to ship one of their signed binaries, run that and load in there via a DLL. In EP these work because the code runs in explorer.exe. It’s extremely dumb, just a move to fuck with third parties and make it harder to do certain stuff, so their shit comes out in front better.

Microsoft sucks. Big players in the industry generally suck. Government regulators sit on their ass all day, sipping though public funds and doing nothing. Legislators are also completely overwhelmed: they lack the education, they are dumber by the day (superficial, a trend found in the general population as well), driven only by financial interests, so ofc business can use all the tricks to seem clean and get away with this behavior. People that actually know are relegated to some forgotten Internet corner. Do I need to remind of that famous debate where some US senator or whatever asked Google’s CEO if the iPhone listens to him or something like that? Or how crappy the GDPR is implemented in practice, with surfing the Internet in the EU becoming an exercise in frustration. And these are supposedly the best in worldwide government…

Idk if this is a losing strategy long term. They will soon erase the idea that software is free to do whatever you want on a computer. In the name of “security”, they reeducate users into accepting a highly controlled environment where only pre-approved stuff can run. After that, after the initial shock, after people like me, you are bullied away to some Internet corner, the general population forgets and that’s it. Then, it’s hard to expect something future generations will consider impossible or unusual: running whatever software one wants on their computer, distributing it freely and executing it in a fair environment (not with “Firefox consumes more battery, try Microsoft Edge” popups delivered right by the OS).

Back to reading that article, it makes me cry, the situation is that shitty…