Windows Defender detected Trojan:Win32/Randet.A!plock in latest build

wez / wezterm

A GPU-accelerated cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust

https://wezfurlong.org/wezterm/

Other

16.94k stars 763 forks source link

Windows Defender detected Trojan:Win32/Randet.A!plock in latest build #3980

Closed darkliquid closed 2 months ago

darkliquid commented 1 year ago

What Operating System(s) are you seeing this problem on?

Windows

Which Wayland compositor or X11 Window manager(s) are you using?

No response

WezTerm version

20230712-072601-f4abf8fd

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

No, and I'll explain why below

Describe the bug

Using the latest version from the scoop extras bucket, windows defender detects Trojan:Win32/Randet.A!plock and quarantines the file.

To Reproduce

simply try and install the latest wezterm with scoop on windows

Configuration

no config

Expected Behavior

no detected malware

Logs

Anything else?

No response

wez commented 1 year ago

I can't reproduce any threats detected when I locally download these files and scan them with Windows Defender. This sounds like it may be an issue that is local to your system!

wez commented 1 year ago

Woah, spoke too soon; a threat suddenly popped up after extracting the zip and scanning it and claiming it was clear. Then the threat cleared itself again.

wez commented 1 year ago

I'm like 99% certain this has to be a false positive; the hash produced by CI verifies OK, so the only way this is legit is if GH CI is infected by a trojan from 2017, which seems unlikely. Now, the question is, how to flag this with Defender without telling people to do something unsafe with their security settings.

wez commented 1 year ago

I've submitted a false positive report to Defender; it's id is 17a8f4d0-a7b6-43ac-9802-1dc82b985843. We'll see what they say about it.

wez commented 1 year ago

I got this response:

At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus

julian7 commented 1 year ago

I'm not sure, maybe the scan result flagged both mac and windows downloads, both return with zero bytes if I try to download WezTerm-macos-20230712-072601-f4abf8fd.zip or WezTerm-windows-20230712-072601-f4abf8fd.zip:

github-actions[bot] commented 1 month ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.