Windows Defender detecting Trojan virus
WhiteBirchArmory opened this issue · 6 comments
I downloaded the DVR-Scan v1.1 Windows 64-bit Installer, completed installation, then tried running dvr-scan.exe. Windows Defender detected a trojan virus, quarantined, and removed the file:
Detected: Trojan:Win32/Zpevdo.B
Status: Quarantined
Details: This program is dangerous and executes commands from an attacker.
Affected Items:
file: C:\Program Files\Brandon Castellano\DVR-Scan\dvr-scan.exe
Hey @WhiteBirchArmory;
Could you let me know if you get the same issue when you extract the portable version?
For transparency, I used PyInstaller to generate the .exe, which seems to be a known issue unfortunately. I had this happen originally when I generated the .exe using PyInstaller 4.2 (Windows Defender would pop up every time I generated the .exe). I then downgraded to PyInstaller 4.1 and the issue went away, so that's what I used for DVR-Scan v1.1.
Edit: Hmm, VirusTotal also reports some detections as well. I'll see if following these instructions to recompile the PyInstaller bootloader myself will fix the issue. Sorry about that.
I see the same downloading
gc .\DVR-Scan-1.1-win64-portable.zip -stream Zone.Identifier
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://dvr-scan.readthedocs.io/en/latest/download/
HostUrl=https://github-production-release-asset-2e65be.s3.amazonaws.com/77726023/dec30f00-59da-11eb-9646-47d03e8b83a9?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210127%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210127T223638Z&X-Amz-Expires=300&X-Amz-Signature=812f8674d00022b80d6ebd4c4752c940fa263d36feacfc2c5de871589bb4f8d7&X-Amz-SignedHeaders=host&actor_id=1453308&key_id=0&repo_id=77726023&response-content-disposition=attachment%3B%20filename%3DDVR-Scan-1.1-win6
4-portable.zip&response-content-type=application%2Foctet-stream
No matter if I scan the dvr-scan.exe or the zip it came in on virusTotal the following scanners flag it
SecureAge APEX - Malicious
Avast - Win64:Trojan-gen
AVG - Win64:Trojan-gen
Cynet- Malicious (score: 100)
McAfee - Artemis!2C4BB2590BD5
McAfee-GW-Edition - BehavesLike.Win64.HToolLazagne.rc
Sangfor Engine Zero - Trojan.Win64.Agent.gen
Yandex - Trojan.PWS.Agent!m7rD4I82OUM
Zillya - Trojan.Disco.Script.104
And defender on my Win10 shows same result as WhiteBirchArmory reported above.
I used the same download of scanner 1½ week ago and at that point defender was quiet. It probably changed at patch Tuesday this week
I tried to track down the real explanations for the malware tags reported above and none of the companies tells in detail what is the culprit for the detections. I assume it is a heuristic scan that detects a general behavior in the scanner they don't like.
Thanks
Thanks for the follow up. I've just rebuilt PyInstaller bootloader and rebundled the application (both portable and installer), which should reduce the occurrence of this happening. I have just finished updating both the installer and portable release of v1.1. If you've already installed the previous release, it will automatically uninstall the old version of 1.1 and apply the new version.
Please let me know if you're still running into this issue after re-downloading the latest files (date of modification of dvr-scan.exe should be today's date). Thank you for the report!
I tried downloading the portable for windows from here
https://dvr-scan.readthedocs.io/en/latest/download/
And it still produces the defender
Where do I find the updated binary ?
Wait - it seems that the defender triggered on the old zip files in my downloads folder.
After cleaning up, I can no longer repro the defender issue neither by zip download nor when running the dvr-scan.exe.
Appears to be fixed, thanks!
Thank you so much for validating this on your end @DDHF22. @WhiteBirchArmory, please let me know if you still run into any issues after re-downloading v1.1.
Sorry again for the inconvenience.