Bekenn/wcdx

Windows Defender reports "Trojan:Win32/Cryptinject!ml" in patchmusic.exe and wcpatch.exe, VirusTotal sees multiple viruses in both .exe files.

PirateSteve opened this issue · 8 comments

When run through virustotal the file reported 16 infections in musicpatch.exe. Also, wcpatch.exe reports 9 infections. The dll file was clean. I have linked the virus reports below. This is version 2.2

musicpatch.exe
https://www.virustotal.com/gui/file/e4cbb203a0874529ce94185bb06ee86b7a802c5e2fe6ee28e7ea3790b44e3b4e/detection
wcpatch.exe
https://www.virustotal.com/gui/file/a923ba55476cf6b2194cb4d9afbb7d838c7c4f62ec65a2c657b292d3806c22ce/detection

Thanks for letting me know. I'll look into this, but I'm sure these are false positives. If you're concerned about these binaries, please feel free to download the source and build your own.

OK, I've done some investigating, and I remain convinced that these are false positives.

I was able to reproduce detections by rebuilding the executables using a fresh install of my development environment, including the compiler and the operating system. I was not able to reproduce the exact set of detections, as I have updated the compiler since building the executables in version 2.2, and the new compiler produces executables with fewer detections, but the sets are similar enough that I feel confident stating that these are false positives. After updating the development environment on my main machine to match what's on the fresh install, the two environments produced executables giving the same set of detections.

I'll see what I can do about submitting these files to Microsoft for further investigation, but I don't know how responsive they'll be given that this is a small project with a small audience; I'm sure they have bigger fish to fry.

Hmm... while I was able to produce detections on virustotal, Microsoft Defender is not showing any issues when I scan these files on my own machine. Maybe virustotal is running an older version? Do you see issues with updated security software running on your own machine?

I was notified by defender upon initial download, and delved further using virustotal. I suspect it has something to do with the patching method, and isn't malicious in nature.

Yeah, that's my thinking, too. It's just that I'm not seeing any notification on my end.

Just attempted the download again, it's showing an entirely different false positive now.
Screenshot (49)

Fantastic. I'll see what I can do...

I have this response from Microsoft regarding patchmusic.exe:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 
2. Run "MpCmdRun.exe -removedefinitions -dynamicsignatures"
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

Can you verify that this resolves the issue on your machine?