Theme: Defender in Microsoft Windows 10 classifies latest update as a virus/malware

[BrettRow]

Trying to download authentic-theme-18.49-4.wbt.gz fails on Microsoft Edge as SmartFilter blocks the download. Download succeeds on Chrome but Windows Defender claims presence of Trojan:Win32/Spursint.F!cl and Chrome deletes download.

[mrveiss]

Same issue here (removed all personal info) (

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items: containerfile:D:\XXXXXX\authentic-theme-18.49.wbt file:D:\XXXXXXX\authentic-theme-18.49.wbt->authentic-theme/unauthenticated/js/codemirror/mode/groovy/groovy.js file:D:\XXXXXXXXXXX\authentic-theme-18.49.wbt->authentic-theme/unauthenticated/js/jquery.datatables.plugins.min.js

[iliajie]

Hi,

To make sure that this is Microsoft nasty bug is simple.

I was very surprised yesterday to figure this out. What I did, was downloading this latest release file to my Fedora Linux computer from GitHub. Then I uploaded this file to my server and let Windows download it.

Guess what? It's no longer a virus. 😮 Files are identical. When downloaded directly from GitHub - it's a virus, when downloaded from my server - it's not a virus.

You can test it your self: link

I reported this problem to GitHub staff as well.

---

[BrettRow]

Used your link and all went fine. Thanks for the link.

[iliajie]

You are welcome.

Please take a heed, that literally Microsoft Windows itself - is malware. I truly recommend to search for Richard Stallman (is an American software freedom activist and programmer) and get acquainted with his philosophy. After listening to his interview on YouTube, I stopped using Windows and switched to GNU/Linux.

[iliajie]

Reclaim your freedom with free libre software now - Richard Stallman of Free Software Movement

[mrveiss]

Did the test with your link, same problem, defender finds it as virus pointing to JavaScrips containing virus:

/js/codemirror/mode/groovy/groovy.js /js/jquery.datatables.plugins.min.js

[BrettRow]

Our business involves developing software that runs on Windows - what pays my salary is what I use.

[iliajie]

I respect this, guys. I'm just sharing my ideas, as I think, ultimately - freedom is more important than income. Even more - it shouldn't be mutually excluded. The change can be slow but it should take place, in my humble opinion.

@mrveiss It's not true. Please have a look at my video-screencast that proves my previous statements.

Have a look at jquery.datatables.plugins.min.js, it's harmless:

$.fn.dataTableExt.aTypes.unshift(function(a) {
    if (/^\d{1,3}[\.]\d{1,3}[\.]\d{1,3}[\.]\d{1,3}$/.test(a)) {
        return "ip-address"
    }
    return null
});
$.fn.dataTable.ext.type.detect.unshift(function(a) {
    if (/((\d+(\s+)|\d+\.\d+(\s+)))(TB|GB|MB|KB|Byte|Bytes|ТБ|ГБ|МБ|КБ|Байт)|(Unlimited|Ubegrenset|Nielimitowane|Ilimitado|无限制|Не ограничено|No Limit|Same as admin|None)/i.test(a)) {
        return "file-size"
    }
    return null
});
$.fn.extend(jQuery.fn.dataTableExt.oSort, {
    "file-size-pre": function(b) {
        z = b.match(/<[^>]*>([\s\S]*?)<.*>/);
        z && z[1] ? (y = z[1]) : (y = b);
        x = y.match(/(\+|-)?((\d+(\.\d+)?)|(\.\d+))/);
        x && (x = x[0]);
        if (b.match(/Byte/i) || b.match(/Bytes/i) || b.match(/Байт/i)) {
            x = (x * 1)
        } else {
            if (b.match(/kB/i) || b.match(/КБ/i)) {
                x = (x * 1024)
            } else {
                if (b.match(/MB/i) || b.match(/МБ/i)) {
                    x = (x * 1024 * 1024)
                } else {
                    if (b.match(/GB/i) || b.match(/ГБ/i)) {
                        x = (x * 1024 * 1024 * 1024)
                    } else {
                        if (b.match(/TB/i) || b.match(/ТБ/i)) {
                            x = (x * 1024 * 1024 * 1024 * 1024)
                        } else {
                            x = 1
                        }
                    }
                }
            }
        }
        return x
    },
    "file-size-asc": function(d, c) {
        return ((d < c) ? -1 : ((d > c) ? 1 : 0))
    },
    "file-size-desc": function(d, c) {
        return ((d < c) ? 1 : ((d > c) ? -1 : 0))
    }
});

The same about /codemirror/mode/groovy/groovy.js.

I would remove groovy.js if it helped to fix the problem but I'm afraid it's not the cause.

[iliajie]

@mrveiss I removed those files from test package - same complain in Windows.

I wonder what it is now? Do you have what it reports now? :smile:

[7starsone]

guys, why do you use "Windows defender" ? 😄 please download Comodo...or something like that. It also has a really useful sandbox... then when you just download a file, it does nothing...no file in the world has the "power" to execute itself (the 1st time) 😆 You need to do it. So, before executing... scan the file with Comodo or other...

[iliajie]

I submitted this as false positive to Microsoft, will see how fast they'll react, if react at all.

[mrveiss]

All clear. Without those files no AV trigers

[iliajie]

@mrveiss That's odd, it triggers an alert for me anyway.

Maybe Microsoft already reacted?

[iliajie]

@mrveiss Can you try this test download?

What does it say?

[mrveiss]

trend micro returned all clear, defender still triger

The following error occurred: Error code 0x80508023. The program could not find the malware and other potentially unwanted software on this computer.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items: containerfile:C:\Users\Administrator\Downloads\authentic-theme-18.49-5_not-for-use-2.wbt.gz file:C:\Users\Administrator\Downloads\authentic-theme-18.49-5_not-for-use-2.wbt.gz->(GZip)->authentic-theme/unauthenticated/js/codemirror/mode/ecl/ecl.js file:C:\Users\Administrator\Downloads\authentic-theme-18.49-5_not-for-use-2.wbt.gz->(GZip)->authentic-theme/unauthenticated/js/jquery.datatables.plugins.min.js webfile:C:\Users\Administrator\Downloads\authentic-theme-18.49-5_not-for-use-2.wbt.gz|https://github-production-release-asset-2e65be.s3.amazonaws.com/24320606/785f7ccc-3fc0-11e7-8ffa-60b9d5108d6c?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20170523%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170523T142458Z&X-Amz-Expires=300&X-Amz-Signature=1b360d07383397e55c559ddf2ccc4cb85348cfdffa083667cb50ee2a11a03b62&X-Amz-SignedHeaders=host&actor_id=10219184&response-content-disposition=attachment%3B%20filename%3Dauthentic-theme-18.49-5_not-for-use-2.wbt.gz&response-content-type=application%2Foctet-stream|chrome.exe

Get more information about this item online.

[7starsone]

"The program could not find the malware..." ? and then "Category: Trojan" ? 😆 how's that possible? Microsoft mysteries... or did you report it as is?

[iliajie]

Take a look what preposterous things Defender does.

If I download the same, identical file (authentic-theme-18.49-4.wbt.gz) from other location and then check it, either just as is or unpacking first, Defender returns nothing.

Video-screencast example.

I'm done with this issue. There is nothing to fix on my side.

Funny example:

---

Reply from GitHub staff:

Hi again, I just wanted to let you know that we submitted this to Microsoft but that we can't promise if or when they will change their behavior. Regards, Laura

I don't use Windows. My users reported it. I loaded Windows in my virtual machine. Went to my GitHub page, releases. Downloaded file. The downloaded file was recognized as virus. Next - went back to Linux, my GitHub page, Releases downloaded the file, uploaded it to my server, downloaded in Windows again. File is clear - no virus warning. Conclusion: Windows 10 Defender says file has a virus only when downloaded from GitHub directly. Files are identical. Just ask someone to download mentioned files in Windows with Defender enabled to see the craziness in action. It's connected via amazonaws when downloading in Windows, don't know, maybe it's that. I think you should be concerned! ;) Looking forward for your reply, Ilia

[7starsone]

I would like to know the Defender developer team... we need to protect them (from themselves) 😆

[adiastra]

I must say that this back and forth is comical. I am a computer system engineer for a company that supports windows mostly. My wife and I, however, use all GNU and FOSS for ourselves. Windows is nothing more than job security, I spend as much of my day as possible working in a linux environment.

[iliajie]

I'm very surprised. Microsoft has fixed an issue?

I'm no longer seeing Defender's message.

Alright, great.

[7starsone]

no no no, Authentic is a virus... I can confirm, made so well that is contagious 😄 😆

[iliajie]

@7starsone Thanks 😁

[gnadelwartz]

we are not alone :-) https://www.google.de/search?q=windows+detect+virus+github+download