Windows Reports SpleeterGUI.exe as threat

Question

Windows Reports SpleeterGUI.exe as threat

Windowsurfer opened this issue 4 years ago · comments

Windows reports SpleeterGUI.exe as threat and puts it in quarantine.

Trojan:MSIL/Formbook.VN!MTB

Chris Mitchell · Answer 1 · Thu Jul 16 2020 07:58:06 GMT+0800 (China Standard Time)

Thanks for reporting this i'll take the download offline until i can work out what happened there.
My windows defender didn't pick it up and neither did malwarebytes but now it does, strange.
I wonder if this is a false positive. will need to test more before i post another file for download.

bascurtiz · Answer 2 · Thu Jul 16 2020 08:46:23 GMT+0800 (China Standard Time)

@boy1dr
Just popped up for me too:
"Trojan:MSIL/Formbook.VN!MTB"

However it didn't when installing a week ago.
So prolly false-positive.

You can manually let Microsoft review your .exe here: https://www.microsoft.com/en-us/wdsi/filesubmission/
I had to do this myself one time, and after reviewing instantly another 9 'virusscanners' on virtustotal.com determined my exe as OK =)

khunjiwon · Answer 3 · Thu Jul 16 2020 10:46:12 GMT+0800 (China Standard Time)

Hi, the same thing happened to me today. I will do a review submission as per @bascurtiz .

Chris Mitchell · Answer 4 · Thu Jul 16 2020 11:05:57 GMT+0800 (China Standard Time)

I have submitted it for review as the developer. Thanks @bascurtiz for the suggestion.
Hopefully they get back to us soon :)

helil · Answer 5 · Thu Jul 16 2020 19:37:23 GMT+0800 (China Standard Time)

Just to let you know...
I got it too:
Trojan:MSIL/Formbook.VN!MTB
15/07/2020 22:16

Scunkaneli · Answer 6 · Fri Jul 17 2020 00:12:42 GMT+0800 (China Standard Time)

12 hours ago 2/72, currently 4/72
https://www.virustotal.com/gui/file/e0baa6e31f3c5243789798321b2817ba69db57f7e55f96f056a18495931fbe14/detection
Info about FormBook: https://blog.talosintelligence.com/2018/06/my-little-formbook.html

Chris Mitchell · Answer 7 · Fri Jul 17 2020 07:56:43 GMT+0800 (China Standard Time)

I just downloaded this repository on another machine, defender removed the pre-compiled binaries as expected.
I loaded the solution in Visual C#2017 and ran it in debug mode. defender nuked the compiled exe immediately.

This is definitely a false positive so we just have to wait for Microsoft to give it the all clear.
Feel free to check over the code (form1.cs) and compile the project yourself if you need to be sure.

Windowsurfer · Answer 8 · Fri Jul 17 2020 08:22:04 GMT+0800 (China Standard Time)

Why does it recognize FormBook actually? Is it actually part of the software? Or is there any idea how this got recognized?
(Let it be mentioned: I'm not familiar with software programming at all)

Chris Mitchell · Answer 9 · Fri Jul 17 2020 08:26:06 GMT+0800 (China Standard Time)

@Windowsurfer
anti-virus software cannot actually look in all your files for all the known viruses that exist.
Instead they rely on pattern matching (otherwise known as heuristics).
Occasionally those known virus patterns can appear in other software code and cause whats known as a false positive.

Chris Mitchell · Answer 10 · Fri Jul 17 2020 10:34:55 GMT+0800 (China Standard Time)

It has been cleared by MS but it will still detect as a trojan until defender updates it's definitions file

Analyst comments:

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

 1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender   
 2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”  
 3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

Chris Mitchell · Answer 11 · Sat Jul 18 2020 10:12:04 GMT+0800 (China Standard Time)

FYI defender still appears to be identifying the tojan even though Microsoft have cleared it.

Manually running the commands (see above) provided by Microsoft seems to have done the trick today.

Johnny Bravo · Answer 12 · Tue Jul 21 2020 17:02:58 GMT+0800 (China Standard Time)

Defender no longer identifies malware in this - just updated defender about 5 minutes ago, and re-installed, all good

Chris Mitchell · Answer 13 · Sun Jul 26 2020 16:07:06 GMT+0800 (China Standard Time)

New version 2.7 was released yesterday and again today MS defender has identified it as the same trojan.
I have sent the file to Microsoft today and they gave it the all clear.
Based on last time it might take a few days for your defender cache to clear and allow my app once more.

ilazarte · Answer 14 · Mon Jul 27 2020 14:06:42 GMT+0800 (China Standard Time)

Please keep us updated, this info should probably be posted on the readme.

Chris Mitchell · Answer 15 · Tue Jul 28 2020 06:00:00 GMT+0800 (China Standard Time)

@ilazarte readme has been updated. i was hoping defender would update quicker this time but sadly it has not.

Chris Mitchell · Answer 16 · Tue Jul 28 2020 06:01:39 GMT+0800 (China Standard Time)

Defender appears to still be detecting trojan even though it has been cleared by Microsoft 2 days ago.
Checking the submission report this morning shows the following

Chris Mitchell · Answer 17 · Sat Aug 01 2020 10:34:54 GMT+0800 (China Standard Time)

Version 2.8 is now available.
I have compiled this version as 64bit to avoid defender false positives.

Nabs617 · Answer 18 · Sun Nov 22 2020 23:36:24 GMT+0800 (China Standard Time)

Hey, 2.9 just came up as a positive today. Both the .exe and shortcut were said to have a virus according to Microsoft. Trojan:Win32/Fuery.C!cl

Chris Mitchell · Answer 19 · Mon Nov 23 2020 00:03:05 GMT+0800 (China Standard Time)

@Nabs617 Thanks for confirming this. i also got the notification earlier today.
This would be the 4th time i have had to fight Microsoft to clear my name. this is open source software and the exe i provide is for the convenience of those that would want to use it. i can assure you that is it virus free, these detection are false positives.
If you are concerned feel free to download the source code and compile it yourself.
The code signing certificate to prove the projects authenticity is AUD$500/year. hosting for this project is ridiculous at 2-4 terabytes per month and donations hovering around the AUD$40/month. I have funded this project for 12 months now and come new year i will pull the project after one final software release.
If you are willing to take on the project let me know, hopefully someone out there will take it on.
I'm not angry, i'm just over it. i hope you can understand :/

Nabs617 · Answer 20 · Mon Nov 23 2020 00:16:59 GMT+0800 (China Standard Time)

@boy1dr Hey, I totally understand. I hope things work out for you and the project, I'd hate to see it go.

SJegorovs · Answer 21 · Sun Aug 29 2021 01:39:20 GMT+0800 (China Standard Time)

Svens@jegorovs.de @boy1dr

I downloaded the MSI-version of spleeterGUI 2.9.1 and installed it, but I get an error window "can't find python.exe". So I downloaded the actual zip-version. Now the defender of Windows 10 say "Trojan:MSIL/Formbook.VN!mtb" detected. I'm updating the database of the defender regulary.

So my question: is there a trojan in the spleeterGUI.exe? When not, can I allow the defender to run the exe on my PC without the risk to catch a trojan?

A short Feedback will be nice.

SJegorovs · Answer 22 · Sun Aug 29 2021 01:54:31 GMT+0800 (China Standard Time)

Svens@jegorovs.de @boy1dr

I downloaded the MSI-version of spleeterGUI 2.9.1 and installed it, but I get an error window "can't find python.exe". So I downloaded the actual zip-version. Now the defender of Windows 10 say "Trojan:MSIL/Formbook.VN!mtb" detected. I'm updating the database of the defender regulary.

So my question: is there a trojan in the spleeterGUI.exe? When not, can I allow the defender to run the exe on my PC without the risk to catch a trojan?

A short Feedback will be nice.

Chris Mitchell · Answer 23 · Sun Aug 29 2021 20:12:36 GMT+0800 (China Standard Time)

@SJegorovs Hi mate. the 32bit version of SpleeterGUI often gets flagged as having a formbook trojan. As per Microsoft's advice i switched to 64bit and it's been fine ever since. be sure to use the latest version.
if you get "cant find python". in SpleeterGUI click Help > Set path, then choose your SpleeterGUI path.
Mine is C:\Users\chris\AppData\Roaming\SpleeterGUI
Change "chris" for your path.

SJegorovs · Answer 24 · Sun Aug 29 2021 23:23:50 GMT+0800 (China Standard Time)

@boy1dr Chris,

many thanks for your quick reply to me on a Sunday.

How I can switch to 64 Bit?

The error window disappeared and after starting the Gui it Shows spleeter Version 2.1.2

But when I try to seperate 2 steams, I get an error in "pywrap_tensorflow.py" line 64 in from tensorflow\python_pywrap_tensorflow_internal Import * and now steam will be exported.

Is there so thing missing in the Installation?

I've also the spleeterGUI_V2.0.zip. Will I find there the missing things?

It will be nice to hear back from you again.

Best regards
Svens

Chris Mitchell · Answer 25 · Mon Aug 30 2021 07:25:25 GMT+0800 (China Standard Time)

Please post the entire output so i can see whats going wrong.
Also you will need to be running SpleeterGUI v2.8 or v2.9. Previous versions where 32bit and was being detected as a trojan.

SJegorovs · Answer 26 · Mon Aug 30 2021 16:48:14 GMT+0800 (China Standard Time)

Dear Chris, attached you'll find the output of the spleeterGUI window after my try to split n MP3-file. I've used the spleeterGUI_V2.9.msi, where I don't get a trojan notice from Windows defender. The notice came from the spleeterGUI.exe in the Spleeter_Desktop_V2.zip, which I should not need. So I will delete the unpacked folder and the trojan note should disappear. Best regards from the rainy Travemünde/Germany Svens P.S: I hope, we can fix the problem within my 7 left vacation days

…

Chris Mitchell ***@***.***> hat am 30.08.2021 01:25 geschrieben: Please post the entire output so i can see whats going wrong. Also you will need to be running SpleeterGUI v2.8 or v2.9. Previous versions where 32bit and was being detected as a trojan. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub #36 (comment) , or unsubscribe https://github.com/notifications/unsubscribe-auth/AVMJUI37N5FHO2QK6YKORA3T7K6XBANCNFSM4O3AP4BQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

------------------------------- Svens Jegorovs Ostseestr. 10H 23570 Lübeck-Travemünde Telefon: 04502-888276 Mobil: 0171-6832819 eMail: ***@***.***

Chris Mitchell · Answer 27 · Mon Aug 30 2021 19:46:11 GMT+0800 (China Standard Time)

@SJegorovs i'll do my best to help out. i can't find your attached output though. can you paste it in here directly ?

SJegorovs · Answer 28 · Mon Aug 30 2021 19:57:20 GMT+0800 (China Standard Time)

Hello Chris, excuse me, that I forgot the attachment. Now I enclose it to this eMail. Best regards Svens

…

Chris Mitchell ***@***.***> hat am 30.08.2021 13:46 geschrieben: @SJegorovs https://github.com/SJegorovs i'll do my best to help out. i can't find your attached output though. can you paste it in here directly ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub #36 (comment) , or unsubscribe https://github.com/notifications/unsubscribe-auth/AVMJUI4FQ7KHMMBL6ZJKC7TT7NVQ5ANCNFSM4O3AP4BQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub .

------------------------------- Svens Jegorovs Ostseestr. 10H 23570 Lübeck-Travemünde Telefon: 04502-888276 Mobil: 0171-6832819 eMail: ***@***.*** Verarbeitung aller Lieder starten Verarbeiten M:\Audiosachen\Becci\VID-20210705-WA0001.mp3 Traceback (most recent call last): File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\pywrap_tensorflow.py", line 64, in <module> from tensorflow.python._pywrap_tensorflow_internal import * ImportError: DLL load failed: Eine DLL-Initialisierungsroutine ist fehlgeschlagen. During handling of the above exception, another exception occurred: Traceback (most recent call last): File "D:\obj\windows-release\37amd64_Release\msi_python\zip_amd64\runpy.py", line 193, in _run_module_as_main File "D:\obj\windows-release\37amd64_Release\msi_python\zip_amd64\runpy.py", line 85, in _run_code File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\spleeter\__main__.py", line 256, in <module> entrypoint() File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\spleeter\__main__.py", line 250, in entrypoint spleeter() File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\typer\main.py", line 214, in __call__ return get_command(self)(*args, **kwargs) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\click\core.py", line 829, in __call__ return self.main(*args, **kwargs) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\click\core.py", line 782, in main rv = self.invoke(ctx) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\click\core.py", line 1259, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\click\core.py", line 1066, in invoke return ctx.invoke(self.callback, **ctx.params) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\click\core.py", line 610, in invoke return callback(*args, **kwargs) File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\typer\main.py", line 497, in wrapper return callback(**use_params) # type: ignore File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\spleeter\__main__.py", line 107, in separate from .audio.adapter import AudioAdapter File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\spleeter\audio\adapter.py", line 14, in <module> import tensorflow as tf File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\__init__.py", line 41, in <module> from tensorflow.python.tools import module_util as _module_util File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\__init__.py", line 40, in <module> from tensorflow.python.eager import context File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\eager\context.py", line 35, in <module> from tensorflow.python import pywrap_tfe File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\pywrap_tfe.py", line 28, in <module> from tensorflow.python import pywrap_tensorflow File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\pywrap_tensorflow.py", line 83, in <module> raise ImportError(msg) ImportError: Traceback (most recent call last): File "C:\Users\Svens\AppData\Roaming\SpleeterGUI\python\Lib\site-packages\tensorflow\python\pywrap_tensorflow.py", line 64, in <module> from tensorflow.python._pywrap_tensorflow_internal import * ImportError: DLL load failed: Eine DLL-Initialisierungsroutine ist fehlgeschlagen. Failed to load the native TensorFlow runtime. See https://www.tensorflow.org/install/errors for some common reasons and solutions. Include the entire stack trace above this error message when asking for help. Verarbeitung aller Lieder fertiggestellt Durchlauf abgeschlossen

Chris Mitchell · Answer 29 · Mon Aug 30 2021 20:02:52 GMT+0800 (China Standard Time)

@SJegorovs near the end it says "ImportError: DLL load failed: Eine DLL-Initialisierungsroutine ist fehlgeschlagen."
This is listed as the # 1 common issue with Spleeter on my help site https://makenweb.com/spleeter_help
It would appear that you are trying to run Spleeter on a CPU that does not have the instruction set it requires to run.

SJegorovs · Answer 30 · Mon Aug 30 2021 20:34:41 GMT+0800 (China Standard Time)

Dear Chris,

thanks for your reply so quick. Do that mean, that I cannot run spleeter on my PC any way?

Best regards
Svens

SJegorovs · Answer 31 · Tue Aug 31 2021 02:19:10 GMT+0800 (China Standard Time)

Dear Chris,do I understand things right and spleeter will never run on my older AMD E350 PC? When this is right, is there any alternative to spleeter, which works for sound separation? I hope, someone has a tip for me.Best regardsSvens Am 30.08.2021 14:03 schrieb Chris Mitchell ***@***.***>: @SJegorovs near the end it says "ImportError: DLL load failed: Eine DLL-Initialisierungsroutine ist fehlgeschlagen." This is listed as the # 1 common issue with Spleeter on my help site https://makenweb.com/spleeter_help It would appear that you are trying to run Spleeter on a CPU that does not have the instruction set it requires to run. —You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.Triage notifications on the go with GitHub Mobile for iOS or Android.

Chris Mitchell · Answer 32 · Tue Aug 31 2021 07:16:33 GMT+0800 (China Standard Time)

According to https://versus.com/en/amd-e-350-vs-intel-core-i3-2365m
You CPU does not have the AVX instruction set that spleeter requires to run.
I'm not sure of free alternatives but RX-8 is great at source separation.
There are various websites offering Spleeter you could try those. not sure how free they are.
try splitter.ai

bascurtiz · Answer 33 · Tue Aug 31 2021 07:31:45 GMT+0800 (China Standard Time)

@SJegorovs @boy1dr
I'd advice you to look into my comparison I did a year ago:
https://www.reddit.com/r/IsolatedTracks/comments/hhjczd/ai_separation_comparison/

My opinion:
Lalal.ai was/is best, but is paid by now.
Ultimate Vocal Remover v5 is next best, if not best right now:
https://youtu.be/F2EeRok6uo4