Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mercury triggers windows defender (not just smartscreen) #39

Closed
L3-NR opened this issue Sep 5, 2023 · 12 comments
Closed

Mercury triggers windows defender (not just smartscreen) #39

L3-NR opened this issue Sep 5, 2023 · 12 comments

Comments

@L3-NR
Copy link

L3-NR commented Sep 5, 2023

image
30 seconds after installation, windows defender deleted the .exe without user input, flagging it as a "severe" level threat.
I believe that it's not malware, but i'd rather not turn defender off.

@Tachyon711
Copy link

Good day! I also encounter the same instance for version 115.3.0. Thank you!

@Alex313031
Copy link
Owner

@L3-NR @Tachyon711 It didn't for me when I tried it.

@GGoose
Copy link

GGoose commented Oct 9, 2023

Same happened to me but 24 hours after installation.

@GGoose
Copy link

GGoose commented Oct 9, 2023

@Alex313031
Copy link
Owner

@GGoose I tried following a guide to sign the .exe to help prevent this from happening, but I need a CA from microsoft to do it properly (otherwise im just using a self-signed CA, and unless you have that CA installed on your system, it wont work), and that costs alot of money. So IDK I guess people will just have to "trust me bro" that these aren't malicious, or compile them yourself.

@kenny-kvibe
Copy link

kenny-kvibe commented Oct 18, 2023

https://www.virustotal.com/gui/file/92e97eaea495e48e58fefee7eb54c907eba55a819a61365af7f9193b25b41038/detection

115.4.0 Installer file

And here's the Firefox Installer:
https://www.virustotal.com/gui/file/d3663d704d94b4764b23f641463d9f1277f46b2713b0eabc0f5ea21923552840/detection

I installed it via the .zip and have it open now for more than 40minutes, WinDefender still sees nothing, & I didn't try the .exe installer

@Alex313031
Copy link
Owner

Alex313031 commented Oct 18, 2023

@kenny-kvibe FUCK I thought I had this resolved. At this point in must be related to not signing the .exe since that costs alot of money. I have got to fix this! It is NOT malicious at all, you can compile it yourself and compare the binaries and see that they are the same.

@lalishansh
Copy link

WoW, i'll compile it myself, Awesome project man 👍🏼

@kenny-kvibe
Copy link

kenny-kvibe commented Oct 18, 2023

@Alex313031 no worries, I know it's not malware, some people don't update MS Defender's local database so perhaps that's why it displays mercury as a virus to them.

I suggest you create a document with your virus scan results and attach your project as proof and send this document to those 2 vendors that flagged it and to MS Security Team (https://info.microsoft.com/ww-landing-security-generic-contact-me.html) to make them do a scan their selves and flag it appropriately, I mean try a free route before spending your money, it could pay off.

The vendors that flagged it on VirusTotal are SecureAge and Trapmine, and if you check https://trapmine.com/ you can see that they've "concluded its operations" and secureage seem like a small firm, so their database is lagging behind I presume (small team = less work done), because if they really deep-scanned your file they would flag it appropriatelly, but as for now they just have a sigma rule or something that tracks certain patterns in the binary file, certain byte sequences, and when it finds these patterns it marks it under its falling category, even if it's a legit program from Microsoft, this can still happen at vendors who are lagging behind, and there'll always be some that lag behind.

To resolve this, vendors usually flag trusted programs virus detections as false-positive and then it passes as clean, although the program was unchanged, that's how the other vendors flagged it as "OK" (because they have the latest false-positives of firefox).

This is just a signing certificate problem, which if "verified cert" is present it is a sign that it's a non-malicious program (for the vendor and a vendor-trusting user), so I presume the security vendors trust that program more by doing less detailed scans - ignoring some patterns based on the cert, or something like that I imagine.

There are always problems with certs even legit ones, but it's not the only solution here because it's a legit firefox rebuild, so it must pass, if you do nothing about it it will pass some day (when they stop lagging and when everyone updates their local db at home), but if you contact them you could speed the process a lot more and keep it self-signed, or buy the cert for an even faster way but DAMN it's a big price for some user-useless bytes that don't even execute in the program.

Also letting you know, when you sign a program with a cert the bytes change because you're essentially adding a few new bytes into your binary header

Been using it for some hours now and it's just awesome.

@lore-sun
Copy link

Hey mate!

I literally created a Github account just to post this comment because it has really concerned me.

I've been using Thorium and it's brilliant. I wanted to try something on a Firefox fork so I downloaded this (Mercury) and windows (10) immediately deleted the file... So I downloaded it again, at which point no joke it instantly deleted the file, crashed and UNINSTALLED Thorium browser entirely from my system, then when I restarted it told me Windows is initialising updates, and upon rebooting my network drivers were dysfunctional.

This is highly concerning no? I have literally never had any such thing happen before in 10 years and am worried my system is infected in some way. Wat do?

@GGoose
Copy link

GGoose commented Oct 31, 2023

@lore-sun All you have to do for the time being is allow the Mercury.exe to run on your OS through Windows Defender or whatever Antivirus you use. Alex says it isn’t malicious and as far as I know, no one is complaining about serious issues that you would normally find from real viruses. And regarding Thorium uninstalling from this issue I have no idea how that can happen from a different browser that isn’t even based off Chromium.

In the end it’s your choice whether you want to use this browser or not. Just know it’s relatively safe.

@lore-sun
Copy link

lore-sun commented Oct 31, 2023

@GGoose Strange though right?
Windows defender never even surfaced and my AV gave me no indication of engagement either.... and yet Thorium was wiped from my pc.... Don't get me wrong; I think Thorium is excellent and am not casting aspersions onto Alex, just was shocked by the turn of events and never experienced that. Also, my Thorium browser install has now bloated itself to 2.8G apparently, unfortunately I don't recall what it was before this but isn't that unusually high?
A Betterfox install I just did as a test is at 400mb with all the same extensions etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants