Windows Defender thinks paket 5.151.3 is a trojan

[tabro]

Description

I started having issues fetching paket.exe through paket.bootstrapper.exe.
When the bootstrapper tries to fetch paket.exe, windows defender removes the file, and claims that the file contains the trojan "Win32/Critet.BS".

Repro steps

Please provide the steps required to reproduce the problem

1. Step A
   Run bootstrapper on a machine with Windows Defender.

If possible then please create a git repository with a repro sample or attach a zip to the issue.

Expected behavior

No virus alert - paket.exe is downloaded.

Actual behavior

Virus alert - paket.exe is deleted

Known workarounds

Run paket.bootstrapper.exe 5.151.2

[eiriktsarpalis]

Got exactly the same behaviour just now.

[TheAngryByrd]

Other people have started seeing this issue: https://forum.kerbalspaceprogram.com/index.php?/topic/172357-trojanwin32critetbs/

Probably need to contact the vendor and tell them it's a false positive. They're probably using some strings search or a yara rule to match on some bytes that some malware uses but clearly it's too broad of a match.

[theimowski]

Same happened here

[forki]

so the "fun" thing is: even I can't download it. I mean that file was created on my machine and defender didn't complain. Now it's complaing on the download.

Anyway: I uploaded the latest alpha to virustotal and they say it's clean
https://www.virustotal.com/de/file/261d82cfe4a7b4f2fbc800f298fa8caf310031a548e146dedb8ee9e2643ff126/analysis/

[forki]

can someone please test with latest alpha? is that one flagged as well?

[eiriktsarpalis]

@forki confirming that latest alpha has no issues for me

[piotrg18]

same for me latest alpha works fine

[forki]

wtf!?

[forki]

I will now push a zero diff release on top of 5.151.3 because the alpha is not ready. hopefully that's enough

[richardjharding]

I downloaded 5.152.0-alpha002 paket.exe and copied in place - windows was happy with that - before I was seeing the error above from defender

[forki]

ok 5.151.4 is released. can someone please check?

[eiriktsarpalis]

Works 👍

[forki]

lol. So if I'd ever develop a real virus, then all I need to do is adding a comment somewhere to change the hash of the exe!? WTF!

[TheAngryByrd]

I uploaded the exact version

5.131.2: https://www.virustotal.com/#/file/aee5a3669124abf0346cd2dcba5e7d539997ab472fb9d33ebda0d94e828bd20f/detection
5.131.3: https://www.virustotal.com/#/file/3be94b622c39d3f18a5ae0a315b1fa08e8224cf7e198d63a81c832c8494e7037/detection

[matthid]

maybe we just had a hash conflict :)

[forki]

If someone knows someone from defender team - it would be nice if they coulde look into this.

[TheAngryByrd]

Had some contacts get in touch. This was their response.

found the signature author, will let you know.
PS you don't need to know somebody https://www.microsoft.com/en-us/wdsi/filesubmission
those are monitored 24/7
should be good now