Nicehashminer: NHML 1.8.1.3 and xmr-stak-cpu detected as virus by Windows Defender

I made an exception to ignore that directory BUT we still need to understand why this is happening

Same problem here. Halted mining until proper feedback is given...
Microsoft Edge promptly deletes the NHML zip file after download.

I got the same problem.
It's not only Windows Defender, though.

https://www.virustotal.com/de/file/0e7c04454b173c4a932cadd9e3f898cb20c2f08ec6124757abc3e0bcbde89689/analysis/1506530201/

Switching back to Pre-2 for now.

EDIT: Nevermind, Pre-2 is also marked now...
The previous stable version seems not to trigger anything.

EDIT2: It's kind of confusing and positive at the same time, that the workers didn't stop working. You wouldn't see their personal statistics online anymore, though and the algo didn't switch anymore, since the "mother task" was deleted.

we still need to understand why this is happening

Mining software can be installed easily on a compromised PC without the knowledge and consent of the user, and it can cause hardware damage or financial losses, let alone leaving the equipment noisy & unusable, while all at the same time making huge profit for some anonymous @$$Ho1€ sitting halfway across the globe. This is the very definition of malware.

NiceHash Miner has an operational pattern that is objectively indistinguishable from such malware: a small piece of software runs locally, then starts to talk to a remote server, downloads several other pieces of software that proceed to drive CPU/GPU load to the maximum.

AV software vendors and browser developers can't judge intent. They can only allow or block abusive behavior, and this is what they do. Because part-time miners like most NiceHash Miner users represent probably 0.5-1.0% of all current PC users, AV software and browser devs are unlikely to change this behavior.

Why NiceHash Miner is different from malware is a question which everybody of average computer literacy can easily answer for themselves. The software is well documented and regularly maintained. Source code is readily available, and anybody can build it from source (of course, excluding the couple of 3rd party miners that have not made their code public). Plus, it pays daily or weekly according to a well known schedule and at rates that are determined officially and transparently via the marketplace.

TL;DR version: Deal with it.

s/Mining Software/Web browsers
s/NiceHash Miner/Chrome

Web browsers can be installed easily on a compromised PC without the knowledge and consent of the user, and it can cause hardware damage or financial losses, let alone leaving the equipment noisy & unusable, while all at the same time making huge profit for some anonymous @$$Ho1€ sitting halfway across the globe. This is the very definition of malware.

Chrome has an operational pattern that is objectively indistinguishable from such malware: a small piece of software runs locally, then starts to talk to a remote server, downloads several other pieces of software that proceed to drive CPU/GPU load to the maximum.

AV software vendors and browser developers can't judge intent. They can only allow or block abusive behavior, and this is what they do. Because part-time miners like most Chrome users represent probably 0.5-1.0% of all current PC users, AV software and browser devs are unlikely to change this behavior.

Why Chrome is different from malware is a question which everybody of average computer literacy can easily answer for themselves. The software is well documented and regularly maintained. Source code is readily available, and anybody can build it from source (of course, excluding the couple of 3rd party miners that have not made their code public). Plus, it pays daily or weekly according to a well known schedule and at rates that are determined officially and transparently via the marketplace.

TL;DR version: Invalid argument.

TL;DR version: Deal with it.

But there has to be a reason why 1.8.1.3 triggers Windows Defender and 1.8.1.2 doesn't. And also why VirusTotal is triggered very hard by 1.8.1.3 while 1.8.1.2 doesn't.
What is it?

What is it?

I really have no idea. But various pieces of AV/antimalware software (Bitdefender, Malwarebytes...) have been blocking NHML for months. You can go back to tickets from the first weeks of this project and you will read about people complaining their mining binaries are gone after unzipping. It was only a matter of time for Windows Defender to catch up.

I also hope this is a false positive - just concerning that according to VirusTotal it is being marked by numerous AV vendors. Oddly I cannot find anything on threatminer.org.

Since Windows Defender is a strict part of the current Windows (AFAIK), maybe it would be great to at least circumvent Windows Defender triggers at least =(.

Windows Defender submission are at https://www.microsoft.com/en-us/wdsi/filesubmission for false positives. I figure it would be best if one of the core developers can submit this instead of making anonymous submission?

I figure it would be best if one of the core developers can submit this instead of making anonymous submission?

@DillonN Could you do that? I guess it would weigh more than a bunch of us submitting anonymously as users.

Analysis on my submission to Microsoft was completed and as of definitions 1.253.30.0 NHML 1.8.1.3 is no longer detected as virus. The analysis for xmr-stak-cpu is not completed so I cannot say if it is solved for that too.

EDIT: xmr-stak-cpu is still marked as virus.

EDIT2: Analysis on xmr-stak-cpu is completed (definitions 1.253.31.0) and concluded it contains the Trojan: Win32/Vagger!rfn. Probably still a false positive.

NHM server not connecting with either 1.8.1 or 1.8.1.3

1.8.1.3 still down for me, if I use 1.8.1 it connects but hash not being accepted rate/ per day is at 0.00

@mcsjohn So is NHML 1.8.1.3 safe to use now if you're only running GPUs?

It is as @drkskwlkr says, NHML "looks" like a Trojan since it downloads files that are associated with viruses (the miner programs). I can submit reports to Microsoft for each version, but when an update comes out it is likely it too will get flagged. Also this would only apply to those who use Windows Defender as their AV.

This will be an issue as long as NHML automatically downloads miner files that are included in Trojans. If you are very worried, you can compile NHML yourself or use NHM2 which is made with the effort to not get flagged by AV. Since issues like this get posted daily I will leave this open as a reference for now, and redirect all new issues here. I will also make a proper explanation on the Wiki and make sure it is linked on releases for visibility

Also, thank you @mcsjohn for the submission to MS!

As of definitions 1.253.74.0 also xmr-stak-cpu is flagged as Clean.
@Braintelligence it was always safe to run both NHML 1.8.1.3 and xmr-stak-cpu, it was just a false positive in the detection.

@mcsjohn Perfect. I'll wait a few days for my rigs to catch up and then update again.
Thanks for your support everyone.

That's good news and I can 100% confirm this. Big thanks @mcsjohn for the hustle and submission with/to MS. Great job!

@mcsjohn Thanks a lot for the submission. Seems all is back to normal - not getting a block/remove with Edge and with Defender.