Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Security flags v3.6.1-3 as a threat #619

Closed
yoniLavi opened this issue Mar 16, 2023 · 18 comments
Closed

Windows Security flags v3.6.1-3 as a threat #619

yoniLavi opened this issue Mar 16, 2023 · 18 comments
Labels
bug status:Needs Triage

Comments

@yoniLavi
Copy link

yoniLavi commented Mar 16, 2023
edited
Loading

Description

The installation of v3.6.1-3 on my Windows11 PC is being blocked by Windows Security, saying that it identified Trojan:Wint32/Casdet!rfn. I've pasted the full details below.

Reproduce

  1. Go to https://github.com/jupyterlab/jupyterlab-desktop/releases
  2. Download https://github.com/jupyterlab/jupyterlab-desktop/releases/download/v3.6.1-3/JupyterLab-Setup-Windows.exe
  3. Before it can be run, Windows Security pops up with a threat warning and asks to delete the downloaded file.

I reproduced it twice by re-downloading from the same url.

Expected behavior

  1. Go to https://github.com/jupyterlab/jupyterlab-desktop/releases
  2. Download https://github.com/jupyterlab/jupyterlab-desktop/releases/download/v3.6.1-3/JupyterLab-Setup-Windows.exe
  3. Install.

After seeing the issue, I've re-downloaded v3.6.1-2 and had no issue with that.

Context

  • Operating System and version: Windows 11 Pro, 22H2, OS build 22621.1413
  • JupyterLab-Desktop version: v3.6.1-3
  • Installer: .exe
Windows Security output 
Detected: Trojan:Win32/Casdet!rfn
Status: Removed
A threat or app was removed from this device.

Date: 16/03/2023 09:20

Details: This program is dangerous and executes commands from an attacker.


Affected items:

file: C:\Users\Yoni\Downloads\JupyterLab-Setup-Windows.exe


webfile: C:\Users\Yoni\Downloads\JupyterLab-Setup-Windows.exe|https://objects.githubusercontent.com/github-production-release-asset-2e65be/90307576/ac40182c-5d4c-45b4-9f70-643414d8db54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230316%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230316T091811Z&X-Amz-Expires=300&X-Amz-Signature=1ba99f284abd65bc9a45ea1f46825458d5ad3d68c30183a343e7515d31ad5032&X-Amz-SignedHeaders=host&actor_id=1586919&key_id=0&repo_id=90307576&response-content-disposition=attachment%3B%20filename%3DJupyterLab-Setup-Windows.exe&response-content-type=application%2Foctet-stream|pid:11856,ProcessStart:133234319207151416

@yoniLavi yoniLavi added the bug label Mar 16, 2023
@welcome
Copy link

welcome bot commented Mar 16, 2023

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@masozzo
Copy link

masozzo commented Mar 16, 2023
edited
Loading

Description

The installation of v3.6.1-3 on my Windows11 PC is being blocked by Windows Security, saying that it identified Trojan:Wint32/Casdet!rfn. I've pasted the full details below.

Reproduce

1. Go to https://github.com/jupyterlab/jupyterlab-desktop/releases

2. Download https://github.com/jupyterlab/jupyterlab-desktop/releases/download/v3.6.1-3/JupyterLab-Setup-Windows.exe

3. Before it can be run, Windows Security pops up with a threat warning and asks to delete the downloaded file.

I reproduced it twice by re-downloading from the same url.

Expected behavior

1. Go to https://github.com/jupyterlab/jupyterlab-desktop/releases

2. Download https://github.com/jupyterlab/jupyterlab-desktop/releases/download/v3.6.1-3/JupyterLab-Setup-Windows.exe

3. Install.

After seeing the issue, I've re-downloaded v3.6.1-2 and had no issue with that.

Context

* Operating System and version: Windows 11 Pro, 22H2, OS build 22621.1413

* JupyterLab-Desktop version: v3.6.1-3

* Installer: .exe

Windows Security output

me too! on Windows 10

@mbektas
Copy link
Member

mbektas commented Mar 16, 2023

Installer was created by GitHub Actions and I had tested in Windows 10. this is very surprising. Could it be a false alarm? I will rollback the release to investigate it further.

@mbektas
Copy link
Member

mbektas commented Mar 17, 2023

I tried on Windows 11 and initially I got the same error. Then I updated Windows and security flag cleared. Can you retry after updating your Windows?

@yoniLavi
Copy link
Author

Thanks for looking into it @mbektas , I'd be happy to try again, but could you please just confirm what version of Windows you have now, so I could verify that I'm up-to-date before I do so? (the one I had the issue on was OS build 22621.1413).

@mbektas
Copy link
Member

mbektas commented Mar 19, 2023

Windows 11 Enterprise Evaluation - 22621.1413
more importantly definition updates as below:
definitions update

@MaxPelly
Copy link

MaxPelly commented Mar 20, 2023
edited
Loading

I get the same on windows 10 KB5023696 with 1.385.471.0 definitions which is the most up to date it will offer me

Edit: got the definition number wrong

@yoniLavi
Copy link
Author

Sorry to say that I'm still getting the same "Threat blocked" with the latest update I have access to, which is 1.385.548.0, which I see is later than the ones you posted @mbektas and was apparently generated today.

Here are the full threat details from this run (almost identical to those from last time):

Windows Security output 
Detected: Trojan:Win32/Casdet!rfn
Status: Removed
A threat or app was removed from this device.

Date: 20/03/2023 15:20

Details: This program is dangerous and executes commands from an attacker.


Affected items:

file: C:\Users\Yoni\Downloads\JupyterLab-Setup-Windows.exe


webfile: C:\Users\Yoni\Downloads\JupyterLab-Setup-Windows.exe|https://objects.githubusercontent.com/github-production-release-asset-2e65be/90307576/ac40182c-5d4c-45b4-9f70-643414d8db54?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230320%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230320T151811Z&X-Amz-Expires=300&X-Amz-Signature=6e719ee0ba65eb108f30f4cc9c8f8305fd25922a5ca987e6eb3030486a47a215&X-Amz-SignedHeaders=host&actor_id=1586919&key_id=0&repo_id=90307576&response-content-disposition=attachment%3B%20filename%3DJupyterLab-Setup-Windows.exe&response-content-type=application%2Foctet-stream|pid:6560,ProcessStart:133237991133371222

Please let me know if I can help in any other way. Thanks

@mbektas
Copy link
Member

mbektas commented Mar 21, 2023

I tried again in Win 11 with KB2267602 (Version 1.385.654.0) and didn't get any alerts today.

@mbektas
Copy link
Member

mbektas commented Mar 21, 2023

@MaxPelly are you getting this error for 3.6.1-3 or earlier?

@MaxPelly
Copy link

@MaxPelly are you getting this error for 3.6.1-3 or earlier?

3.6.1-3, cant check with an earlier version now as IT is still "checking" its a fasle positive

@sasobadovinac
Copy link

VirusTotal has zero detections (including Microsoft) for it https://www.virustotal.com/gui/file/1926fbe2c288f940b35cce4e42424f1e9066feeecdcbe25812ee085ff8d1dcb3 but additionally to the definition based detections they also use behavioral, heuristic and cloud methods, I am suspecting this detection is coming from their cloud engine. There is this site to submit suspicious files and report false-positives https://www.microsoft.com/en-us/wdsi/filesubmission but the file is too big to upload...

@mbektas
Copy link
Member

mbektas commented Mar 23, 2023

@yoniLavi @MaxPelly @masozzo could you test the newer version release candidate (v3.6.2-1) to see if it raises any security flags.

@masozzo
Copy link

masozzo commented Mar 23, 2023

@yoniLavi @MaxPelly @masozzo could you test the newer version release candidate (v3.6.2-1) to see if it raises any security flags.

No more problem, i have installed last version [release candidate] without virus detection.
Tx a lot
Marcello

@jtpio jtpio mentioned this issue Mar 23, 2023
Closed
@yoniLavi
Copy link
Author

Hi @mbektas,

Thank you very much, I installed 3.6.2-1 now with no apparent issues whatsoever, so from my end, I'd be happy to close this as fixed.

Just curious - did you identify any specific issue there?
Also, are there any plans to implement auto-updating down the line (I couldn't find a project roadmap anywhere)?

Thanks,
Yoni

@mbektas
Copy link
Member

mbektas commented Mar 24, 2023

Thanks for testing. Main change is to upgrade to newer version of Electron. However, I am not sure if that upgrade has anything to do with the fix. It was just a false positive and the new binary is not causing an alert.

@yoniLavi auto updating is only available for macOS at the moment. to get it working for Windows, we need to code-sign the binary. It is something waiting to be prioritized. By the way, code signing Windows installer might also fix these Defender alerts.

@mbektas
Copy link
Member

mbektas commented Mar 24, 2023

I will release the new version after further testing. Let's keep this issue open until the release.

@mbektas
Copy link
Member

mbektas commented Mar 25, 2023

This false positive problem is fixed with v3.6.2-1 release.

@mbektas mbektas closed this as completed Mar 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug status:Needs Triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@yoniLavi @sasobadovinac @masozzo @MaxPelly @mbektas