Windows Defender Detection

Question

Windows Defender Detection

29039 opened this issue a year ago · 5 comments

29039 commented a year ago

Program:Win32/Wacapew.C!ml

RudeWindowFixer.exe

process: pid:20304,ProcessStart:133438839985391712

Answer 1 · 2023-11-08T05:49:49.000Z

I have that problem too
But apparently I've been running that exe 2 hours ago but nothing sus happened on my laptop

Answer 2 · 2023-11-08T10:19:43.000Z

Windows Defender sees RudeWindowFixer 0.2a as clean on my machine. Maybe we don't have the same definitions file.

As explained in issue #1, it is incredibly unlikely that the executable on the Releases page is compromised, as that would require GitHub itself to be compromised. You don't need to trust me on this: I didn't build that executable, GitHub did, and it built it from open source code. It's all public and verifiable.

And if you still don't believe that, nothing stops you from getting the source code, reading it yourself to make sure it's harmless (it's only ~100 lines), and then building it yourself. All you need to do that is Visual Studio which is free.

More generally, RudeWindowFixer tends to regularly trigger false positives with antivirus software, presumably because it contains code that is highly unusual and uses obscure Windows APIs. My understanding is that lots of antivirus software flag this kind of code purely because, statistically, it's way more likely harmful software would use these APIs than legitimate ones. It's unfortunate that RudeWindowFixer ends up as collateral damage of these heuristics.

Answer 3 · 2023-11-08T13:08:48.000Z

The latest defender update I have is:

Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.401.256.0) - Current Channel (Broad)

The version of RudeWindowFixer.exe 0.2a confirmed by downloading a fresh copy and comparing the hash

SHA256: 332a8617aab56b42a6749e8fb4a934966ef6de51c958e1fcbe66e219328b2554

I have been using this file since 16 July 2022, it is only now that a detection has come up.

I don't think that there is a suggestion that what you have produced is actually malicious. If this were the case, Microsoft would have pulled it from GitHub, considering that they own both detection platform and GitHub.

All what I am really suggesting is that it would be nice if you can submit it for review:

https://www.microsoft.com/en-us/wdsi/filesubmission

There is an option to submit it as the software developer, which should give it more weight compared to a random person saying that it's not malware.

Answer 4 · 2023-11-08T13:34:55.000Z

Thanks, I just submitted it. I'm a bit confused though as the submission results report it as clean, even though your SHA256 hash matches mine:

The report says it's being checked against definitions 1.401.277.0, which is slightly higher than yours. Maybe Microsoft already fixed the issue in the latest definitions?

Answer 5 · 2023-11-08T13:41:20.000Z

Maybe Microsoft already fixed the issue in the latest definitions?

Hopefully, thanks for checking. And thanks for making it as well, hopefully someone from Microsoft sees this one day and gets it fixed on their end.