Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trojan inside? #22

Closed
eBerdnA opened this issue Sep 23, 2021 · 13 comments
Closed

Trojan inside? #22

eBerdnA opened this issue Sep 23, 2021 · 13 comments
Assignees
@kmaasrud

Comments

@eBerdnA
Copy link

eBerdnA commented Sep 23, 2021

I just download the latest release 0.4.1 (mdzk_0.4.1_x86_64-pc-windows-gnu.zip). The download was blocked by threat protection of Windows 10.

image

I'm using the latest Windows 10 build including the latest updates for threat protection.

I also tried download release 0.4.0. Same effect.

Any idea why this could be happening?
@ratsclub ratsclub pinned this issue Sep 23, 2021
@ratsclub
Copy link
Member

Hm, this is embarrassing... I guess it could be related to our GitHub Action? I don't have a Windows machine to test it right away but I try to take a look soon. Thanks for your report!

@eBerdnA
Copy link
Author

eBerdnA commented Sep 23, 2021

Could be related to your build machine, but I don't know how your build process is setup.
Now I just tested the download with a machine running Windows 11 preview which also identified the download as a possible infection risk.

image

Could still be a false positive from the Microsoft engine.

I scanned the file with virustotal.com and https://vms.drweb-av.de/online/. Both said that the file does not contain any virus. Therefore I guess it is a false positive from the Microsoft engine. But I can't validate that because I don't have any Windows machine which is running a different antivirus solution.

@kmaasrud
Copy link
Member

This is very weird... I've combed through the build action we are using, and it looks totally legit. We have also tried a few virus scanners, Windows Defender included, and have not managed to replicate the warning.

I'll take down the downloads ASAP, and investigate further before we risk anything. @eBerdnA do you know if you have any other malicious software on your computer that could be trying to hide as mdzk?

@eBerdnA
Copy link
Author

eBerdnA commented Sep 23, 2021

Of course, I cannot exclude this 100%, but there are two different computers on which the message was displayed by Windows Defender.

I first came across mdzk today because I was looking for a way to turn Obsidian Notes into static HTML. Before today I haven't done anything with mdzk. Therefore, while it is possible that a virus is trying to impersonate mdzk, I think that should be the case with other downloads as well.
Just to double check that I just download some other binaries for Windows from another project (Hugo) which did not cause any Defender warning.

I also checked whether there was an update for the Defender available. There was an update available. Right now this version is active on my machine (Windows 11 preview) which is still causing the trojan warning for mdzk.

image

However, I must admit that it is strange that other virus scanners, as I also wrote, do not seem to react.

Therefore, as also written before, I believe that it is a false positive result.

So finally just used a third PC, running Windows 10 but same Defender version. On this PC no warning is issued when I download the binaries for mdzk. Now I'm honestly confused as to which result to believe.
My intention is definitely not to cause unnecessary confusion here.

@kmaasrud
Copy link
Member

@eBerdnA thanks for the information! One of us just got the warning in a Windows 10 VM, so this seems to be related to mdzk. We've not discovered the reason yet, but I'm pretty sure this is a false positive, yes.

While we try to get this fixed; are you able to install mdzk with Cargo? (cargo install mdzk.) Defender might be more friendly to a locally compiled binary.

@eBerdnA
Copy link
Author

eBerdnA commented Sep 23, 2021
edited
Loading

Somehow I'm glad this is not only happening on my machine. Even though it doesn't solve this issue.

I just gave cargo a shot and couldn't install mdzk because libquickjs-sys-0.9.0 couldn't be built. I don't know why but this is another issue which doesn't belong into this issue.

Moreover I made a submission to Microsoft for a false positive analysis. The procedure is described here: Address false positives/negatives in Microsoft Defender for Endpoint | Microsoft Docs
The final status is still pending. I don't know how long it will take until Microsoft has made a final assessment for the submission.

@ratsclub
Copy link
Member

I just gave cargo a shot and couldn't install mdzk because libquickjs-sys-0.9.0 couldn't be built. I don't know why but this is another issue which doesn't belong into this issue.

We are discussing to change the JS engine to avoid this issue so it might not be a problem in the future.

Moreover I made a submission to Microsoft for a false positive analysis. The procedure is described here: Address false positives/negatives in Microsoft Defender for Endpoint | Microsoft Docs
The final status is still pending. I don't know how long it will take until Microsoft has made a final assessment for the submission.

Thank you for your time reporting this issue!

@kmaasrud
Copy link
Member

I just gave cargo a shot and couldn't install mdzk because libquickjs-sys-0.9.0 couldn't be built. I don't know why but this is another issue which doesn't belong into this issue.

@eBerdnA really sorry for all these issues and thanks so much for submitting a false positive to Microsoft 😄 I'll try to rewrite our KaTeX-approach temporarily today, so we can remove the quickjs dependency. It has caused nothing but pain for Windows users 😅

@eBerdnA
Copy link
Author

eBerdnA commented Sep 24, 2021

You're welcome.
Microsoft finished the analysis and from my understanding agreed on this being a false positive. They also provided steps on how to update the signatures manually.

image
Just to make it easier for search engines and people finding this, here are the steps/commands from the screenshot.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Unfortunately, I can't test the detection on my system right now because the downloads for Windows have been taken down. 😉

@kmaasrud
Copy link
Member

Unfortunately, I can't test the detection on my system right now because the downloads for Windows have been taken down. 😉

I'll ping you as soon as I've got 0.4.2 up and running, and compiled for Windows 👍

@kmaasrud
Copy link
Member

@eBerdnA 0.4.2 is out now, and my testing with both Windows Defender (on Windows 10) and with VirusTotal, threw no warnings. Hopefully, this is the case for everyone...

0.4.2 also doesn't have a dependency on QuickJS, so it should compile completely fine on Windows. Fingers crossed that everything works for you, keep us posted 🤞

@kmaasrud kmaasrud self-assigned this Sep 24, 2021
@eBerdnA
Copy link
Author

eBerdnA commented Sep 24, 2021

I just downloaded the latest release 0.4.2. It did not trigger Windows Defender. 👍🏻
Therefore, this issue can be closed.

I need to test the cargo installation on a different system but will open a separate issue for this topic if the problem still exists.

@kmaasrud
Copy link
Member

That's relieving to know! Thanks again for your collaboration on this issue 😄

@kmaasrud kmaasrud unpinned this issue Sep 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kmaasrud kmaasrud

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eBerdnA @ratsclub @kmaasrud