Paket: Windows Defender thinks paket 5.151.3 is a trojan

Created on 15 Mar 2018  路  17Comments  路  Source: fsprojects/Paket

Description

I started having issues fetching paket.exe through paket.bootstrapper.exe.
When the bootstrapper tries to fetch paket.exe, windows defender removes the file, and claims that the file contains the trojan "Win32/Critet.BS".

image

Repro steps

Please provide the steps required to reproduce the problem

  1. Step A
    Run bootstrapper on a machine with Windows Defender.

If possible then please create a git repository with a repro sample or attach a zip to the issue.

Expected behavior

No virus alert - paket.exe is downloaded.

Actual behavior

Virus alert - paket.exe is deleted

Known workarounds

Run paket.bootstrapper.exe 5.151.2

Most helpful comment

lol. So if I'd ever develop a real virus, then all I need to do is adding a comment somewhere to change the hash of the exe!? WTF!

All 17 comments

Got exactly the same behaviour just now.

Other people have started seeing this issue: https://forum.kerbalspaceprogram.com/index.php?/topic/172357-trojanwin32critetbs/

Probably need to contact the vendor and tell them it's a false positive. They're probably using some strings search or a yara rule to match on some bytes that some malware uses but clearly it's too broad of a match.

Same happened here

so the "fun" thing is: even I can't download it. I mean that file was created on my machine and defender didn't complain. Now it's complaing on the download.

Anyway: I uploaded the latest alpha to virustotal and they say it's clean
https://www.virustotal.com/de/file/261d82cfe4a7b4f2fbc800f298fa8caf310031a548e146dedb8ee9e2643ff126/analysis/

can someone please test with latest alpha? is that one flagged as well?

@forki confirming that latest alpha has no issues for me

same for me latest alpha works fine

wtf!?

I will now push a zero diff release on top of 5.151.3 because the alpha is not ready. hopefully that's enough

I downloaded 5.152.0-alpha002 paket.exe and copied in place - windows was happy with that - before I was seeing the error above from defender

ok 5.151.4 is released. can someone please check?

Works 馃憤

lol. So if I'd ever develop a real virus, then all I need to do is adding a comment somewhere to change the hash of the exe!? WTF!

maybe we just had a hash conflict :)

If someone knows someone from defender team - it would be nice if they coulde look into this.

Had some contacts get in touch. This was their response.

found the signature author, will let you know.
PS you don't need to know somebody https://www.microsoft.com/en-us/wdsi/filesubmission
those are monitored 24/7
should be good now

Was this page helpful?
0 / 5 - 0 ratings