Virus Total detects malicious code

Question

Virus Total detects malicious code

dodgyb opened this issue 6 years ago · comments

Roger Bullivant commented 6 years ago

Checked ConfigureDefender_x64.exe on Virus Total and 3 engines reported malicious software:

https://www.virustotal.com/#/file/16c103ee6b1350dc80b01548e6cdf63d00905f0307f7ea8d75fa6ad9e549dcc5/detection

Antiy-AVL - Trojan/Generic.ASVCS3S.1E5

CrowdStrike Falcon - malicious_confidence_60% (W)

McAfee-GW-Edition - BehavesLike.Win64.Dropper.tc

Κρυςτιαν3ϐ · Answer 1 · Wed Nov 07 2018 07:33:46 GMT+0800 (China Standard Time)

https://www.virustotal.com/#/file/9941cf56d5d8aeee9227fc8806efe3f633c3a3cb402b842052970c8fe82a8d14/detection

Antiy-AVL - Trojan/Generic.ASVCS3S.1E5

SentinelOne - static engine - malicious

Sophos ML - heuristic

Martin Sundhaug · Answer 2 · Thu Apr 18 2019 19:53:14 GMT+0800 (China Standard Time)

x86 - https://www.virustotal.com/nb/file/9941cf56d5d8aeee9227fc8806efe3f633c3a3cb402b842052970c8fe82a8d14/analysis/

x64 - https://www.virustotal.com/nb/file/112366df0ddc6102c5d7efe9e59ca37ff2abb03cc3b70516e6767dc0a29157af/analysis/

AndyFul · Answer 3 · Tue Mar 17 2020 19:18:31 GMT+0800 (China Standard Time)

ConfigureDefender executables are always submitted to Microsoft, Avast, Symantec, BitDefender, and Emsisoft before publishing. The application changes Defender settings and some Windows Policies, so some behavior-based detections can flag it as suspicious/malicious.

firebowl · Answer 4 · Wed Jan 06 2021 21:22:49 GMT+0800 (China Standard Time)

Microsoft Defender also blocks download because of a virus...

AndyFul · Answer 5 · Fri Jan 22 2021 00:43:39 GMT+0800 (China Standard Time)

Microsoft Defender also blocks download because of a virus...

Are you sure? Many people on BleepingComputer, MalwareTips, and WildersSecurity forums use ConfigureDefender and no one reported such an issue. I checked it also on my computer with Edge. Both SmartScreen and PUA protection in Edge allow downloading without alerts. I can also run the application without Defender's alert.
What was the source of the downloaded file?
Was the file digitally signed? (it should be)
Could you please recheck the issue?
Please check if the downloaded file is ConfigureDefender application or only the download assistant from the website which hosts application installers. The download assistant executables are often detected as PUA.

See also there for more info:
https://malwaretips.com/threads/configuredefender-utility-for-windows-10.79039/post-926725

AndyFul · Answer 6 · Sun Jan 24 2021 00:11:07 GMT+0800 (China Standard Time)

It seems that @firebowl did not download the ConfigureDefender installer but the whole GitHub repository in ZIP archive: ConfigureDefender-master.zip. For an unknown reason, the whole archived repository was flagged by Defender despite the fact that all files included in the archive were detected as clean. I submitted the archived repository to Microsoft today and the false positive has been removed with AntivirusSignatureVersion: 1.329.2695.0.
Thank @firebowl, guys from MalwareTips and Wilderssecurity forums the issue has been finally solved.