On 6/20/2023 7:42 AM, AllanH wrote:
For all you Microsoft Defender AV lovers ;)
"Microsoft Defender now blocks and removes the file 7zFM.exe (32-bit x86) from 7-zip 23.01 by some reason.
It reports about Trojan:Win32/Wacatac.B!ml.
I suppose that it's false positive.
If you know any ways to fix that problem with Microsoft Defender, please write here."
https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/#e950
I tested in a Win10 VM. The labeling of the file, was selected for tagging/bookkeeping
purposes, not because I actually got a hit on it. This is so I can locate this specific
sample, if later I download 2301 again.
Name: 7z2301-x64-wacatac-x64.exe
Size: 1589510 bytes (1552 KiB)
SHA256: 26CB6E9F56333682122FAFE79DBCDFD51E9F47CC7217DCCD29AC6FC33B5598CD
OK, my first mistake was, I downloaded it in my Daily Driver, no hits
there, was not stopped from accessing it. I don't test-install in the
Daily Driver, and use a VM for that (which is still not absolutely safe,
but... whatever).
I neglected to remove the Alternate Streams blocking flag from the file.
If you do Properties on a downloaded file (all downloads), there is a
tick box you can use, to remove the security status ("untrusted, was a download")
from the file. When the file showed up in the VM, Windows seemed to engage SmartScreen, even though the slider for it was disabled. And SmartScreen
used the piss-weak method of "we haven't seen this executable before".
What a surprise (June 20 release date). I don't think I've seen this
before, so this might be a new feature from Patch Tuesday June 2023.
The test VM was freshly installed and patched, yesterday. Took no
time at all to fire up.
*******
With the blocking flag still in place, when I put that on the VM via
a copy from a share, it got flagged. This is a reputation flag,
where the hash of the file has not been seen enough, for it
to have a reputation. Lots of low-rent AVs use this method.
It helps to scare customers and make them feel protected.
[Picture]
https://i.postimg.cc/bwP5m96m/reputation-analysis-is-worthless.gif
After correcting my handling error, I rolled back the VM and tried again.
All worked fine! :-) No wacatac here.
[Picture]
https://i.postimg.cc/HLkdhgSv/works-OK-Compat-Tel-Runner-was-noisy.gif
Summary: Minor drama, no real problem.
Windows defense systems are not exactly reproducible, so
my test means nothing. There could be a million factors in
software lineup, to trigger this. It's not like patching two
machines "to the same level" guarantees their WinSxS are the same.
After you run a program a couple of times, CompatTelRunner.exe is
invoked. The VM railed on its two cored for 15-20 seconds. MsMpEng
was busy during the time, SearchIndexer, and so on. It was a party
with a two drink limit.
Wacatac ML is a heuristic detection (like, say, tampering),
and the references I can find seem to be mostly false positives.
I'm sure Igor already knows this. Virustotal got one hit (from the fifty
or so scanners), but that's just another one of those reputation flags,
and since it's from a "lesser AV", practice is to ignore those. If one
of the big guns flags a program, that is taken a bit more seriously.
Paul
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)