Windows 10 defender virus detection
XanatosX opened this issue · 11 comments
Virus Total does show a infected file for the amd windows build. Same goes for windows defender I guess. I initially found it via a Joplin plugin and listed the issue there laurent22/joplin#9055
I did dug into the code for the unofficial wakatime Joplin plugin code just to find out that it does download the cli if required.
I sis upload the wakatime cli file to virus total and it got the same hash as the issue I wrote on the Joplin board. So I'm pretty sure the zip is the route cause.
Talking about the newest release https://github.com/wakatime/wakatime-cli/releases/tag/v1.85.2
I will ask windows defender to scan the file tomorrow and write a comment if it will throw an warning.
Environment:
- OS: Windows 10
- Platform: amd64
Related to past similar issues:
#775 #660 #690 #693 #782 #689 #654
I'm seeing no detections when scanning just now with virustotal.com:
v1.85.2/wakatime-cli-windows-amd64.zip
v1.85.2/wakatime-cli-windows-arm64.zip
v1.85.2/wakatime-cli-windows-386.zip
That's interessing, it does show something for me
But it does link it to a file I scanned yesterday related to a Plugin for the "Joplin" app. Which does download the newest cli. That file was scanned since Windows showed me a warning which is does for the windows-amd64.exe as well.
Now I'm also getting one detection Trojan.Khalesi.bice by Jiangmin when using the same file but uploading the unzipped exe from the zip:
v1.85.2/wakatime-cli-windows-amd64.exe
I have no idea why it would report different results for the same file depending if it's zipped or not.
I did check for system updates and it looks like there is a an update for the windows defender database. I will scan the file again after the update is installed. Version of the update is v5.118 (KB890830).
Hopefully this will solve the false positive, I will report back. I'm relative sure it is a false positive since there are multiple reports from earlier versions where something like that happend.
Scan Result:
Windows Defender still marks it as a harmful file.
I've uploaded wakatime-cli-windows-amd64.exe v1.85.2 with sha256sum 81283b5f3d667be97927661c1a075e1ffd96d01c9000c2fe3fe24939a670abb9 to Windows as a false positive.
Is that the same sha256sum you get for your wakatime-cli-windows-amd64.exe?
Not sure how I could verify this, could you guide me where to get the hash from?
Uploading the exe here gives the sha256sum:
Saldy WIndows does not allow me to unzip the file since the defender does block any interaction immediately. I can only check the zip, which does logically show another sha256 value.
Since the cache folder from joplin is also already deleted I cannot verify if the file indeed where identically. I could boot up my linux machine, download the zip from github and upload the exe there but this would be pointless, right?
Since I used the same Joplin plugin on another machine, I could indeed find a file which does contain the "wakatim-cli.exe". Scanning it via the provided tool does return the same sha256
81283b5f3d667be97927661c1a075e1ffd96d01c9000c2fe3fe24939a670abb9
This at least tells me that the plugin wasn't the initial cause of the issue.
Saldy WIndows does not allow me to unzip the file since the defender does block any interaction immediately. I can only check the zip, which does logically show another sha256 value.
Which sha value do you get for the zip? Or you can upload the zip here and I'll check it's shasum.
After submitting to Defender the final determination is now Not malware. That means it shouldn't be flagged in a future Defender database update.