Detected as HackTool:Win64/ExplorerPatcher!MTB #3228
Comments
|
TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin: Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now. |
|
You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender. |
|
Also %APPDATA%\ExplorerPatcher |
|
microsoft is so mad ngl |
|
Thats not a false detection. They literally named it as "HackTool:Win64/ExplorerPatcher!MTB" because they don't like EP. |
|
It would be nice if EP deleted ep_setup.exe as soon as possible after an update, that would probably decrease the detection rate. |
|
It's used for uninstalling. It can't be deleted before then. |
Thank you, had to use this Also it looks like Windows 11 24H2 update might be a disaster because Microsoft is actively blocking StartAllBack as well. Not good, Microsoft needs lawsuit from someone with a decent anmount of money. |
|
Just want to post an update to this issue, looks like this will continue to haunt us forever even with local builds. From now on, users must have added the folders below to exclusions to prevent Defender from messing with EP while still keeping Defender active. Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"The reasons we're not setting the latest 66.4 build as release are:
So that's why we kept the latest release at 65.5 which is not flagged yet as of the time of writing. (66.4 is also not flagged) To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer which will be a simple GUI to select between release and pre-release version as well as optionally including the folders into exclusions which will be checked by default. And when they flag the PowerShell script, we can easily break the hash by modifying the script more like what MAS has been doing monthly. For updates, users will need to download updates through EP itself not by visiting the GitHub releases page anymore. What do you guys think? |
Powershell script is nice touch, I like that. |
|
great idea |
|
It is not a false detection, it correctly detects it as hacking tool ExplorerPatcher. |
Sounds great @Amrsatrio! More developers should implement this method. Where can we keep an eye out for your progress on the script? |
|
Hi, guys. Edit: |
|
its marked as Backdoor:Win32/Bladabindi!ml now earlier today it was calling it HackTool:Win32/Patcher!MTB |
|
Unlike most Trojan, Backdoor:Win32/Bladabindi!ml does not create a registry entry to run itself on Windows start-up. Instead, this threat will inject harmful code into valid processes including explorer.exe, iexplore.exe, firefox.exe, chrome.exe, opera.exe, and safari.exe. Trojan will load if user runs any of these programs. Then, the Trojan tries to contact a command and control (C&C) server through HTTP request on the same port 80, the same way users can connect to the Internet. During analysis, it was discovered that most of C&C servers that provides remote command for this threat are originating from .TW domains. Lastly, Backdoor:Win32/Bladabindi!ml attempts to gather cookie data from the infected computer. It is also interested in collecting Internet certificates and stores them under UserProfile folder. |
|
Here is what Kaspersky shows
|
Link opens automatically the feedback hub app... but the result are the same. |
see this comment: #3228 (comment) |
|
Windows 11 24h2 without issues, Kaspersky didn't detect anything Version 22621.3880.66.6 |
This does not work, I get errors for all lines as follows:
And the same for all other lines |
|
The powershell script must run with elevated privileges. |
|
Have any devs attempted to communicate with Microsoft via https://www.microsoft.com/en-us/wdsi/filesubmission or reviewed the criteria for classification as PUA to see if perhaps some additional notices during installation are all that is necessary (see https://learn.microsoft.com/en-us/defender-xdr/criteria ). I sorta doubt that the feedback hub will do anything. Just wondering... |
|
Yes Valinet did. |
|
GUYS BE CAREFUL EXPLORER PATCHER IS A GAME HACK!!!!!!!!11!!!! (joke) |
|
Despite the above powershell commands executing successfully, Windows is still blocking me from updating Windows 11, blaming ExplorerPatcher. Do you think it would be successful if I uninstalled EP, updated, and then resinstalled EP? |
|
Yes my PC came with win11 23h2 and i had to uninstall ep and then use the official iso to force upgrade to 24h2. I reinstalled it and now everything is ok. EDIT: it may take some time (2 1/2 hours for me) and also it works without clean installing it |
You always are supposed to uninstall EP before upgrading between windows 11 releases. |
|
Yeah unfortunately Microsoft blocks updates for EP users... |
|
I just installed the latest MSFT updates followed by an auto-prompt EP update (v...67.1). Everything was fine. The image shows which MSFT updates were installed.
|
|
We're referring to when you do an upgrade from 23h2 to 24h2, that is when you should uninstall EP first. Not for regular windows updates. |
|
Yes for me 24h2 didn't even appear even though i had checked the "receive updates first" and when attempting to reset windows update it did nothing but throw me an error code after downloading the update, thats why i used an iso (to force upgrade) |
|
Simple question. If I remember correctly, one of the "potential problems" is the inclusion on the installer of some .dll files deleted by the OS. Also, if the download per se is a problem because defender will block it, you can prevent the user during installation (if defender reverts the decision over the installer) to do the requiered configuration on windows defender, or even, do the configuration with the installer if the user approves. |
|
Or you can do like TLauncher and include code that disables Windows Defender when being scanned. This sure adds some security problems and is a pretty shady practice but this would work well knowing that TLauncher embeds a real spyware :) |
Total rewrite of the setup is needed if we need to add some UI there. I don't have time and motivation for it yet. For the downloads, I've remembered that there were reports where when EP wasn't installed without an Internet connection, the 10 start menu was broken to a certain extent due to some missing restoration files. Though in the future I'm considering extending the symbol download feature to download binaries as well during runtime. There will be no extended black screens (the StartUI.dll is 10MB), although the user has to wait couple minutes till it finishes downloading especially on bad internet conditions. @ff66theone Nice idea actually, but I'm not letting EP becoming real malware 🤪 |
|
Perhaps showing a progress bar in the foreground while files are downloaded that right now are done in the background. |
|
Yes, of course, I feel this is required for downloads that may take a long time. |
I know that this technique is questionable but it is working well, also i don't want XORed code, alone it works already, and the only thing to do is asking for consent or implementing a toggle for that functionality. I don't want that feature to be hidden, i want it to be shown so users don't think it is here for bad reasons. |
and others
For some reason, latest release of EP keeps getting false flagged by Windows defender as HackTool:Win64/ExplorerPatcher!MTB. I have to exclude this app's folder from Program Files manually to uninstall it properly. What is going on?
The text was updated successfully, but these errors were encountered: