ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus

[ksast]

Describe the bug

I tried to download the latest installer 2.15.0 via winget using the following command, but it triggered an alert coming from Microsoft Defender Antivirus: "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log

The alert is named "'Packunwan' unwanted software was prevented". Maybe the 2.15.0 package of ZAP is malicious.

The same alert is triggered when downloading directly from the ZAP website: https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2_15_0_windows.exe

File hash (sha256): 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57

This could be a potential supply chain attack where a malicious file is distributed via a public package manager (i.e. winget).

Steps to reproduce the behavior

Try to execute the command from the description on a client that is protected by Microsoft Defender Antivirus.

Expected behavior

Download and install a safe package.

Software versions

2.15.0

Screenshots

No response

Errors from the zap.log file

n/A

Additional context

Please also see https://github.com/microsoft/winget-pkgs/issues/153873

Would you like to help fix this issue?

• [ ] Yes

[psiinon]

We do think this is very likely to be a false positive, but we are doing due diligence

For reference we did submit the Windows installer to Virus Total: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57?nocache=1 As you will see 3 services flagged it, but not Windows Defender.

It is worth noting that virus scanners are very flaky, and ZAP is a security tool which by nature "does bad things".

[psiinon]

Its worth noting that the alert is 'Packunwan' unwanted software was detected New Detected Informational So its just potentially additional software, it is not complaining about anything malicious. ZAP is a complex tool that has many components. It is not surprising that a virus scanner would detect "potentially unwanted software".

[psiinon]

Submitted directly to Windows Defender online:

[psiinon]

ZAP is a security tool. It “does bad things”. We know that virus scanners regularly flag the active scan rule add-ons, which is not surprising as they perform attacks. The Microsoft Defender alert just says that the ZAP exe is potentially “unwanted software” - it is not claiming that the exe is malicious. Virus scanners are notoriously unreliable, especially when it comes to security tools. We have double checked the exe and the files it creates and have seen no evidence of anything malicious. If anyone can provide us with any more specific evidence of malicious code then we will of course investigate further. Or if anyone has any suitable contacts at Microsoft we’d love to talk to them.

[benmcgarry]

I just had a poke around at this, and appears in the build there is a file called "ascanrules-release-66.zap". It looks like this file might be causing the detection as it is flagged by Defender for https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FBitrep.B. This does look to be a FP.

https://www.virustotal.com/gui/file/6c63ac358a5a183a757cb63ac13040e58eb3087aa9ca25bf40a02fab83f3736f

[psiinon]

"ascanrules-release-66.zap" is the active scan rule add-on: https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ - these are the rules which attack web apps. So its really not surprising that it gets flagged by AV tools 😁

[ksast]

It's worth mentioning that the detection does not apply to version 2.14.0.

[kingthorin]

We did encounter similar things when 2.14 was first released. Though to a lesser extent. In the mean time both AV solutions and ZAP have changed/evolved.

[psiinon]

For reference: https://www.zaproxy.org/faq/why-does-my-antivirus-tool-flag-zap/

[benmcgarry]

I've sent this to some contacts at MSFT so hopefully it can get routed to the right people.

[kingthorin]

Thanks @BenMcGarry

[benmcgarry]

Appears Smart Screen is now flagging on it:

[psiinon]

@BenMcGarry isnt that just saying that ZAP is from an unknown publisher, rather than its failed an AV check? This is expected as we are not yet signing the installer..

[benmcgarry]

I dont get that prompt on the 2.14 release which i'd assume would also trigger? Did any of the build process change for 2.15?

[psiinon]

Not radically, but there are bound to have been some changes

[kingthorin]

2.14 might be "popular" enough that SmartScreen ignores it.

[benmcgarry]

It appears the detection has now been removed for this on latest definition versions. It no longer alerts as a PUA. @ksast does it still happen for you?