Ddev: Windows defender alerts on ddev: Trojan:Win32/Ludicrouz.Z

Created on 12 Aug 2019  ·  9Comments  ·  Source: drud/ddev

I had tried upgrading DDEV to the latest version and now Windows Defender is detecting it as a trojan:

Trojan:Win32/Ludicrouz.Z
Description

I initially had it installed through chocolatey. I uninstalled it, restarted, and reinstalled it through chocolatey and it still came up with the same error. I had also downloaded the .exe file from your repo and still same error.

Currently windows has the ddev.exe file quarantined.

Most helpful comment

Microsoft says they have removed the detection, https://www.microsoft.com/en-us/wdsi/submission/61db6317-42dc-4f17-b8e1-45784baa6ddd

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:Program FilesWindows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

All 9 comments

Hi @billdaff - Thanks for the report. I'm unable to recreate it on Windows 10 Pro at this time. I carefully checked for updates first, then installed ddev using the ddev_windows_installer v1.10.2, then used ddev.

If you can remember or can recreate this, could you please report

  • What actions you toolk that led to quarantine
  • What does which ddev or where ddev say
  • Is it complaining about the installer or about ddev.exe?
  • Are you on Windows 10 Pro or Home? What version and OS build? I'm on 1903/18362.239.

You should be able to tell Windows Defender that ddev is not a trojan easily enough and get it out of quarantine.

Looking forward to your response, and thanks for the report.

Oh, please provide the "Security intelligence version" given by Windows Defender when you update as well, Mine is 1.299.1823.0

Update: Although not able to recreate on my own machine, I did get this alert on one of our testbots (testbot-dell-win10pro-2). I imagine we'll have to submit a false-positive report to Microsoft. You can do that also, although I'll have to learn the technique.

So far I've been unable to recreate this with updated "security intelligence version"s. I am suspecting that the windows defender descriptions had a short-term mess-up with regard to golang binaries.

Microsoft says they have removed the detection, https://www.microsoft.com/en-us/wdsi/submission/61db6317-42dc-4f17-b8e1-45784baa6ddd

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:Program FilesWindows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thanks so much, I was able to temporarily get around it by using chocolatey to install the version I was previously on (1.9.1). However this looks like you were able to get microsoft to address it. I will try upgrading again once my work pushes the latest updates for windows. Thanks again.

Thanks for the report. I think we'll leave this open a little longer to see if it hits anybody else.

No other reports so closing.

Was this page helpful?
0 / 5 - 0 ratings