Windows Defender understands the zip as malware #145
Comments
|
Is it time to put a note in the readme or releases so people can stop opening these (non-)issues? |
|
is that really not an issue? Version 1.23 cannot be used on Windows 11 as the zip file is blocked straight after downloading. |
|
@Megaemce I wish it weren't an issue, but it is out of our hands. There is nothing actionable here. As for the zip file getting blocked, there is a slightly convoluted process you can use to get windows defender to stop deleting it. Go on the page for the "threat" itself, and click "actions -> allow" If you have suggestions for how to get Microsoft to stop false flagging w64devkit, I'd love to hear them. AFAIK, it is impossible. |
|
This is an old screenshot from a different obnoxious run-in with windows defender, and it's on windows 10. But I doubt Windows 11 differs by that much here. |
|
Thx for the imput. Do you have any idea why then version 1.22 cause no windows defender alert? |
|
Unfortunately I don't have time to investigate right now but here's what VT reports : https://www.virustotal.com/gui/file/dce1d71a3629e060e8f84ae7fff7334753eda2f9ced4c5ebc7327b169a5b5359/behavior IP traffic :
TLS :
I find very strange that a supposedly portable compiler app make TCP calls. If someone can investigate/explain, that would be great. It also seems to drop files in the folder : What does this portable app have to do with the google updater? It also does other things but I'm no expert in reversing windows binaries. I don't make accusations, I just am curious. In the end I personnally got visual studio back since I don't trust this repo yet. Windows defender removed the executable anyway and flag some part of it as a worm. I didn't feel like it was worth the risk to whitelist it even tho it could be a false positive. |
|
@0xRemyRuiz I don't know, but w64devkit.exe itself makes NO tcp calls, at all. Its source is small, you can manually review it yourself
I don't know what you're talking about, but it sure isn't w64devkit that does that... |
|
The listings on Virus Total "Behavior" tab are bogus and have been for
years. It's measuring the sandbox's own traffic and behavior. Note how the
first address in the IP list is marked as a sandbox IP address, and the
TLS listing is the cloud service hosting the sandbox. You can verify all
this yourself: Update a trusted binary that you're sure does not make
network connections, and you'll see similar traffic on the same subnets.
For example, here's the official Vim x64 release straight from vim.org:
https://www.virustotal.com/gui/file/daf645c53a3a4e62743093c674d7530e3a741e8a758a63f63e88c00d6b467719/behavior
It also has the same "Google Updater" listings. The entire Behavior tab is
contaminated like this, making it useless for analysis. I suspect nobody
at Virus Total pays attention to this data, which is why they've never
noticed that it's broken.
|
|
Wow, I just tried my own current exercice in C and...it's a virus too... xD int main(int ac, char** av) {
if (ac >= 2) fopen(av[1], "r");
return 0;
}And guess what, it is also a virus... Damn depressing... I suppose that those AVs detect every program that's "too basic" as a virus, if it doesn't have a certain degree of complexity and conformity, it flags it, probably just in case. |
After I downloaded the zip from the releases page Microsoft Defender quarantined it with: Trojan:Win32/Vigorf.A
The text was updated successfully, but these errors were encountered: