The Latest Build v. 22621.1992.56.1 Has Malware 💀

[Aldis-Nutz]

I run Micorosft Defender for Endpoint with our A5 licensing on my work client and was notified this morning that the application had a masquerading file that was blocked. I am going to attach screenshots of the pathing and hash id.

Defender detected 'Trojan:Win32/MasqueradingFile.F!cl'
Malware
Threat name
Trojan:Win32/MasqueradingFile.F!cl
Remediation action
quarantine
Remediation time
Jul 27, 2023 7:03:04 AM

[Aldis-Nutz]

@Speedy37 @lordmilko @justanotheranonymoususer @kimsey0 @valinet

[nadinoob]

Who uses Antivirus... Users maybe should. But we should know better than to jump to conclusions ?

[Aldis-Nutz]

This isn't anti-virus. This is company-based ASR and EDR

[nadinoob]

Alright, but why would you use SW like Explorer Patcher on a productive company?! computer, that's... very questionable at best. No offence. I hope.

[Aldis-Nutz]

It is my personal testing client I like having the contextual Windows 10-like menus when I right-click files.

[valinet]

It has no malware, this has been discussed a couple of times already, there are similar issues closed and opened if you search past history. Builds are automated, I do not touch them. The CI system takes the latest source code and builds it in clean VMs. By the nature of this program, which does a ton of memory manipulation, heuristics in antivirus products might flag the file as suspicious. The solution for this would be to digitally sign the file, then the antivirus would most likely shut up, but I do not have a code signing certificate and do not really intend to acquire one, since I think I took the necessary precautions to make sure the delivered builds are clean, plus, there's always the option of checking out and building the code oneself for anyone that's interested. I also feel like antivirus vendors sometimes enjoy using these tactics to hinder small development by scaring users away because something is presumably 'malicious'...

[Aldis-Nutz]

I just find it interesting as I have been using the application for the past eight months without issues. We have been using DFE in our organization as well for the past year with zero alerts.

[valinet]

Yeah, correct. It happens from time to time, binaries randomly get flagged as malware by various vendors... It's just a "false positive", as they like to call these inconveniences.

[justanotheranonymoususer]

https://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/

…

On Thu, Jul 27, 2023, 15:56 Aldis-Nutz ***@***.***> wrote: I just find it interesting as I have been using the application for the past eight months without issues. We have been using DFE in our organization as well for the past year with zero alerts. — Reply to this email directly, view it on GitHub <#1697 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABMDRPGGF23C2FWBKTQTELTXSJQQLANCNFSM6AAAAAA2Z7XIIA> . You are receiving this because you were mentioned.Message ID: ***@***.*** com>

[Aldis-Nutz]

Thanks, I did a full system scan and will monitor to be safe. I do appreciate the hard work that goes into this app. It helps functionality with Win11

[valinet]

Yeah, I mean, I guarantee you I personally do not touch the binaries posted. I have done this a few times well back in the past, and have always attached a note to the release page, if the case. You do not have to take my word. Indeed, I have access to change the binaries, but you can always download the binary from the release and compare it against the one from the GitHub Actions artifacts of the run that generated that release, and you'll see the checksums and contents coincide, which indicate it wasn't touched by me, since I cannot alter the artifacts in the run results page.