-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detected as HackTool:Win64/ExplorerPatcher!MTB #3228
Comments
TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin: Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now. |
You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender. |
Also %APPDATA%\ExplorerPatcher |
microsoft is so mad ngl |
Thats not a false detection. They literally named it as "HackTool:Win64/ExplorerPatcher!MTB" because they don't like EP. |
It would be nice if EP deleted ep_setup.exe as soon as possible after an update, that would probably decrease the detection rate. |
It's used for uninstalling. It can't be deleted before then. |
Thank you, had to use this Also it looks like Windows 11 24H2 update might be a disaster because Microsoft is actively blocking StartAllBack as well. Not good, Microsoft needs lawsuit from someone with a decent anmount of money. |
Just want to post an update to this issue, looks like this will continue to haunt us forever even with local builds. From now on, users must have added the folders below to exclusions to prevent Defender from messing with EP while still keeping Defender active. Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy" The reasons we're not setting the latest 66.4 build as release are:
So that's why we kept the latest release at 65.5 which is not flagged yet as of the time of writing. (66.4 is also not flagged) To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer which will be a simple GUI to select between release and pre-release version as well as optionally including the folders into exclusions which will be checked by default. And when they flag the PowerShell script, we can easily break the hash by modifying the script more like what MAS has been doing monthly. For updates, users will need to download updates through EP itself not by visiting the GitHub releases page anymore. What do you guys think? |
Powershell script is nice touch, I like that. |
great idea |
It is not a false detection, it correctly detects it as hacking tool ExplorerPatcher. |
Sounds great @Amrsatrio! More developers should implement this method. Where can we keep an eye out for your progress on the script? |
Hi, guys. Edit: |
its marked as Backdoor:Win32/Bladabindi!ml now earlier today it was calling it HackTool:Win32/Patcher!MTB |
Unlike most Trojan, Backdoor:Win32/Bladabindi!ml does not create a registry entry to run itself on Windows start-up. Instead, this threat will inject harmful code into valid processes including explorer.exe, iexplore.exe, firefox.exe, chrome.exe, opera.exe, and safari.exe. Trojan will load if user runs any of these programs. Then, the Trojan tries to contact a command and control (C&C) server through HTTP request on the same port 80, the same way users can connect to the Internet. During analysis, it was discovered that most of C&C servers that provides remote command for this threat are originating from .TW domains. Lastly, Backdoor:Win32/Bladabindi!ml attempts to gather cookie data from the infected computer. It is also interested in collecting Internet certificates and stores them under UserProfile folder. |
I think M$ closed your request... |
I just checked and its still open. There are 22 upvotes. If there are more experiences like yours then clearly something may be amiss .....! In any case, this requested change will not be forthcoming from MSFT through just one post on the feedback hub. I think we need a lot more upvotes and overall noise through various other feedback pipes. It's not impossible to imagine MSFT not changing their point of view! |
windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses tried to upvote via your link but got had to upvote via this link instead https://aka.ms/AAse02b |
also upvoted native windows 11 cascade issue https://aka.ms/AAo78gw |
It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!! |
Link opens automatically the feedback hub app... but the result are the same. |
see this comment: #3228 (comment) |
Windows 11 24h2 without issues, Kaspersky didn't detect anything Version 22621.3880.66.6 |
This does not work, I get errors for all lines as follows:
And the same for all other lines |
The powershell script must run with elevated privileges. |
Have any devs attempted to communicate with Microsoft via https://www.microsoft.com/en-us/wdsi/filesubmission or reviewed the criteria for classification as PUA to see if perhaps some additional notices during installation are all that is necessary (see https://learn.microsoft.com/en-us/defender-xdr/criteria ). I sorta doubt that the feedback hub will do anything. Just wondering... |
Yes Valinet did. |
GUYS BE CAREFUL EXPLORER PATCHER IS A GAME HACK!!!!!!!!11!!!! (joke) |
Despite the above powershell commands executing successfully, Windows is still blocking me from updating Windows 11, blaming ExplorerPatcher. Do you think it would be successful if I uninstalled EP, updated, and then resinstalled EP? |
Yes my PC came with win11 23h2 and i had to uninstall ep and then use the official iso to force upgrade to 24h2. I reinstalled it and now everything is ok. EDIT: it may take some time (2 1/2 hours for me) and also it works without clean installing it |
You always are supposed to uninstall EP before upgrading between windows 11 releases. |
Yeah unfortunately Microsoft blocks updates for EP users... |
We're referring to when you do an upgrade from 23h2 to 24h2, that is when you should uninstall EP first. Not for regular windows updates. |
Yes for me 24h2 didn't even appear even though i had checked the "receive updates first" and when attempting to reset windows update it did nothing but throw me an error code after downloading the update, thats why i used an iso (to force upgrade) |
For some reason, latest release of EP keeps getting false flagged by Windows defender as HackTool:Win64/ExplorerPatcher!MTB. I have to exclude this app's folder from Program Files manually to uninstall it properly. What is going on?
The text was updated successfully, but these errors were encountered: