Malware/trojan/virus detected in wakatime-cli-windows-amd64.exe

[mcwnuq]

Windows Defender found low priority threat inside wakatime-cli-windows-amd64.exe:

PUA:Win32/Caypnamer.A!ml

VirusTotal scan: https://www.virustotal.com/gui/file/8ceb440af0f15cd6637ad86e9825a1fd8e992a65df535a417a0cf6d8072e1a95

Environment:

• OS: Windows 10
• Platform: amd64

[hakimzulkufli]

I'm getting the same report by Windows Defender. Kaspersky Opentip portal on the other hand reported no threats found.

[TurnrDev]

Yep, came here to report this too.

[fahmij8]

I came here to report this too, my first action was to quarantine the file. I hope it's still working just fine.

[markvandenbrink]

This was solved last week, see https://github.com/wakatime/wakatime-cli/issues/654

But apparently, Windows Defender thinks it's malware again since definition version 1.359.811.0.

@alanhamlett can you request another unblock request at Microsoft?

[alanhamlett]

I've submitted the new release v1.38.0 to Microsoft so hopefully it's unblocked soon. For now, if it gives you the choice please allow it to run. Usually after it's unblocked, you will still need to restart your computer or trigger an update of the Windows Defender malware definitions:

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

We tried to prevent this by scanning releases before they go out in #656, but since the release passed maybe it takes some time before Windows Defender blocks a program.

@gandarez any thoughts how we could prevent this because it's happening on every release lately? If we can't prevent it, I wonder if we could automate an alert that detects when a release is incorrectly detected as malware so we can submit it to Microsoft as soon as possible.

[gandarez]

Threat scan didn't fail for this release. So I think it won't work as we expected to be.

[alanhamlett]

The threat scan build step probably passed because it was too soon and wasn't in the Defender malware definition yet, since it hadn't been released. Let's figure out how to detect when releases get put on Defender's block list sooner, so we can reduce the time they're being blocked.

[alanhamlett]

Microsoft says,

The detection has been removed.
Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

[TurnrDev]

Is there something malware like about this tool that makes it trigger Windows Defender?

[alanhamlett]

Is there something malware like about this tool that makes it trigger Windows Defender?

It started happening after we added support for editing files over ssh and sftp with #623 but might just be a coincidence.

[TurnrDev]

I wonder if it's the mentioned of GoLang's crypto module. What if Microsoft see that and are incorrectly assuming it's a crypto mining PUP?

[alanhamlett]

We already had a dependency on the crypto module, but that PR added a new dependency on https://github.com/pkg/sftp. I don't think Microsoft Defender can see the Go modules, only the resulting PE binary code.

[alanhamlett]

Version 1.40.0 was just released. Please let us know if you encounter this malware prompt again!

[alanhamlett]

Issues which are duplicates of this issue:

• 654

• 688

• 689

• 690

• 691

• 692

• 693

Let's keep future discussions in this thread instead of the other duplicate issues.

[dimateos]

First time getting my workplace's anti-virus complaining about the cli (used by vscode extension):

<?xml version="1.0" encoding="utf-8" ?>
<ESET>
  <LOG>
    <RECORD>
      <COLUMN NAME="Time">09/02/2024 15:08:09</COLUMN>
      <COLUMN NAME="Scanner">Real-time file system protection</COLUMN>
      <COLUMN NAME="Object type">file</COLUMN>
      <COLUMN NAME="Object">C:\Users\diego.mateos\.wakatime\wakatime-cli-windows-amd64.exe</COLUMN>
      <COLUMN NAME="Detection">a variant of WinGo/Agent_AGen.AN trojan</COLUMN>
      <COLUMN NAME="Action">cleaned by deleting</COLUMN>
      <COLUMN NAME="User">diego.mateos</COLUMN>
      <COLUMN NAME="Information">Event occurred during an attempt to access the file by the application: C:\Program Files\Microsoft VS Code\Code.exe (B59621FFE51FF096E92773E9A18A8956889A722A).</COLUMN>
      <COLUMN NAME="Hash">70142184E7B8ED9DA064B27E4125BD1FF5754944</COLUMN>
      <COLUMN NAME="First seen here">14/04/2023 8:08:39</COLUMN>
    </RECORD>
 </LOG>
</ESET>

Quite weird because the internal.cfg says that the binary has not being updated:

[internal]
backoff_at                        = 
backoff_retries                 = 0
cli_version                        = v1.86.5
cli_version_last_modified = Fri, 27 Oct 2023 23:04:20 GMT
cli_version_last_accessed = 1707464311

But not sure if this file is being updated correctly, wakatime-cli-windows-amd64.exe.backup last modification does not match:

[shap-po]

I have the same problem with the ESET antivirus

[dimateos]

Done some testing:

• v1.89.1 is not flagged -> OK
• v1.90.0 is flagged and removed!
• v1.90.0-alpha.1 also flagged
• All three windows binaries (amd, arm, 386) get flagged with the same trojan etc.
• My antivirus version:

Let me know if you need more info! Thanks

For now I think I managed to edit the internal.cfg to stop auto-updates by setting the version to 1.89.1 and all timestamps to now. Is there a flag to set to simply stop autoupdates instead? Not sure if my fix will last.

[alanhamlett]

The only thing that changed is we upgraded Go to v1.22. You can download and build wakatime-cli manually then replace the one in ~/.wakatime/wakatime-cli.exe with your build. Then the plugins skip updating because they detect a local build.

[fstrazzante]

Same problem with ESET on win 10, this is my internal.cfg

[internal]
cli_version               = v1.86.5
cli_version_last_modified = Fri, 27 Oct 2023 23:04:20 GMT
backoff_at                = 
backoff_retries           = 0
cli_version_last_accessed = 1707400718

[dimateos]

So far using the build v1.89.1 and setting my internal.cfg (C:\Users*user*.wakatime) seems to work:

[internal]
backoff_at                = 
backoff_retries           = 0
cli_version               = v1.89.1
cli_version_last_modified = Fri, 09 Feb 2024 14:41:09 GMT
cli_version_last_accessed = 1707489669

Checked the win builds with virustotal out of curiosity (arm, amd, 386). My version blocks them all, but in theirs only 386 gets flagged (with the same message)

Anyway will try to use the in-app option to submit sample for analysis following: https://help.eset.com/ees/7/en-US/idh_charon_file.html

[fstrazzante]

I've tried to manually download the v1.89.1 as suggested, unzipped and placed the amd64.exe in C:\Users*user*.wakatime.

Now looks like ESET doesn't block it anymore.

Thank you @dimateos

[alanhamlett]

I've sent the file to ESET for review as a false positive... will update here with any response or updates.

[alanhamlett]

Fixed in #1031. If there's anyone still experiencing this let's move the conversation to that new issue.