Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detected as HackTool:Win64/ExplorerPatcher!MTB #3228

Closed
Comeonnoob opened this issue May 4, 2024 · 98 comments
Closed

Detected as HackTool:Win64/ExplorerPatcher!MTB #3228

Comeonnoob opened this issue May 4, 2024 · 98 comments
Labels
Won't Fix This will not be worked on

Comments

@Comeonnoob
Copy link

For some reason, latest release of EP keeps getting false flagged by Windows defender as HackTool:Win64/ExplorerPatcher!MTB. I have to exclude this app's folder from Program Files manually to uninstall it properly. What is going on?

изображение

@Amrsatrio
Copy link
Collaborator

Amrsatrio commented May 4, 2024

TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin:

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now.

@pyrates999
Copy link

You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender.
You can also set windows defender to exclude the directory that you manually download EP to so you can install it without windows defender blocking it.

@Amrsatrio
Copy link
Collaborator

Also %APPDATA%\ExplorerPatcher

@Vlad55432
Copy link

microsoft is so mad ngl

@Apis035
Copy link

Apis035 commented May 7, 2024

Thats not a false detection. They literally named it as "HackTool:Win64/ExplorerPatcher!MTB" because they don't like EP.

@kpietraszko
Copy link

It would be nice if EP deleted ep_setup.exe as soon as possible after an update, that would probably decrease the detection rate.

@pyrates999
Copy link

It's used for uninstalling. It can't be deleted before then.

@Comeonnoob
Copy link
Author

Comeonnoob commented May 11, 2024

You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender. You can also set windows defender to exclude the directory that you manually download EP to so you can install it without windows defender blocking it.

Thank you, had to use this

Also it looks like Windows 11 24H2 update might be a disaster because Microsoft is actively blocking StartAllBack as well. Not good, Microsoft needs lawsuit from someone with a decent anmount of money.

@Amrsatrio
Copy link
Collaborator

Amrsatrio commented Aug 7, 2024

Just want to post an update to this issue, looks like this will continue to haunt us forever even with local builds.

From now on, users must have added the folders below to exclusions to prevent Defender from messing with EP while still keeping Defender active.

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

The reasons we're not setting the latest 66.4 build as release are:

  • It has been flagged as malicious by Microsoft.
  • Existing users who never visit this project's GitHub page will never know what's going on. They can get scared by the fact that EP seemingly got infected by a virus, while in fact it is not as long as ep_setup.exe is downloaded from the project's page, which is this GitHub repository.

So that's why we kept the latest release at 65.5 which is not flagged yet as of the time of writing. (66.4 is also not flagged)

To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer which will be a simple GUI to select between release and pre-release version as well as optionally including the folders into exclusions which will be checked by default. And when they flag the PowerShell script, we can easily break the hash by modifying the script more like what MAS has been doing monthly.

For updates, users will need to download updates through EP itself not by visiting the GitHub releases page anymore.

What do you guys think?

@Vlad55432
Copy link

What do you guys think?

Powershell script is nice touch, I like that.

@pyrates999
Copy link

great idea

@Anixx
Copy link
Contributor

Anixx commented Aug 21, 2024

It is not a false detection, it correctly detects it as hacking tool ExplorerPatcher.

@realAllonZ
Copy link

To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer

Sounds great @Amrsatrio! More developers should implement this method.

Where can we keep an eye out for your progress on the script?

@rodolfomachado
Copy link

rodolfomachado commented Sep 10, 2024

Hi, guys.
Ive been using EP for a good time with no issues but today when I started my PC Kaspersky detected as a dangerous object and deleted my Explorer.exe. My PC is starting but with almost no interface. I can use task manager, command. For now, I was not able to restore Explorer.exe.
Does anyone know a way? Tks

Edit:
Solved with "sfc /scannow

@Kickskii
Copy link

its marked as Backdoor:Win32/Bladabindi!ml now earlier today it was calling it HackTool:Win32/Patcher!MTB

@Anixx
Copy link
Contributor

Anixx commented Sep 10, 2024

Unlike most Trojan, Backdoor:Win32/Bladabindi!ml does not create a registry entry to run itself on Windows start-up. Instead, this threat will inject harmful code into valid processes including explorer.exe, iexplore.exe, firefox.exe, chrome.exe, opera.exe, and safari.exe. Trojan will load if user runs any of these programs.

Then, the Trojan tries to contact a command and control (C&C) server through HTTP request on the same port 80, the same way users can connect to the Internet. During analysis, it was discovered that most of C&C servers that provides remote command for this threat are originating from .TW domains.

Lastly, Backdoor:Win32/Bladabindi!ml attempts to gather cookie data from the infected computer. It is also interested in collecting Internet certificates and stores them under UserProfile folder.

@rodolfomachado
Copy link

Here is what Kaspersky shows

image

@ErMaqui
Copy link

ErMaqui commented Sep 23, 2024

I have created a suggestion in MSFT Feedback hub. This madness by MSFT will only stop if enough people raise a voice.

If you agree upvote at https://aka.ms/AAs87uy - note this link will open Feedback Hub on Windows. For some reason, it will not work on an Android device. Another MSFT architecture blunder!

Screenshot below:

image

image

I think M$ closed your request...

@KunjanChauhan
Copy link

I have created a suggestion in MSFT Feedback hub. This madness by MSFT will only stop if enough people raise a voice.
If you agree upvote at https://aka.ms/AAs87uy - note this link will open Feedback Hub on Windows. For some reason, it will not work on an Android device. Another MSFT architecture blunder!
Screenshot below:
image

image

I think M$ closed your request...

I just checked and its still open. There are 22 upvotes. If there are more experiences like yours then clearly something may be amiss .....!

In any case, this requested change will not be forthcoming from MSFT through just one post on the feedback hub. I think we need a lot more upvotes and overall noise through various other feedback pipes. It's not impossible to imagine MSFT not changing their point of view!

@osde8info
Copy link

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses

tried to upvote via your link but got

winfeed

had to upvote via this link instead https://aka.ms/AAse02b

@osde8info
Copy link

also upvoted native windows 11 cascade issue https://aka.ms/AAo78gw

@KunjanChauhan
Copy link

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses

tried to upvote via your link but got

winfeed

had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

@rodolfomachado
Copy link

rodolfomachado commented Sep 23, 2024 via email

@ErMaqui
Copy link

ErMaqui commented Sep 23, 2024

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses
tried to upvote via your link but got
winfeed
had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

Link opens automatically the feedback hub app... but the result are the same.

@pyrates999
Copy link

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses
tried to upvote via your link but got
winfeed
had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

see this comment: #3228 (comment)

@lucianoGG
Copy link

Windows 11 24h2 without issues, Kaspersky didn't detect anything

Version 22621.3880.66.6

@gsapient
Copy link

gsapient commented Oct 8, 2024

TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin:

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now.

This does not work, I get errors for all lines as follows:

Add-MpPreference : Operation failed with the following error: 0x%1!x!
At line:1 char:1

  • Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
  •   + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference],
     CimException
      + FullyQualifiedErrorId : HRESULT 0xc0000142,Add-MpPreference
    

And the same for all other lines

@pyrates999
Copy link

The powershell script must run with elevated privileges.

@Shane32
Copy link

Shane32 commented Oct 16, 2024

Have any devs attempted to communicate with Microsoft via https://www.microsoft.com/en-us/wdsi/filesubmission or reviewed the criteria for classification as PUA to see if perhaps some additional notices during installation are all that is necessary (see https://learn.microsoft.com/en-us/defender-xdr/criteria ). I sorta doubt that the feedback hub will do anything. Just wondering...

@Amrsatrio
Copy link
Collaborator

Yes Valinet did.

#3670 (comment)

@MonoxideXZ
Copy link

GUYS BE CAREFUL EXPLORER PATCHER IS A GAME HACK!!!!!!!!11!!!! (joke)

@BenReilly
Copy link

Despite the above powershell commands executing successfully, Windows is still blocking me from updating Windows 11, blaming ExplorerPatcher. Do you think it would be successful if I uninstalled EP, updated, and then resinstalled EP?

@ff66theone
Copy link

ff66theone commented Nov 12, 2024

Yes my PC came with win11 23h2 and i had to uninstall ep and then use the official iso to force upgrade to 24h2. I reinstalled it and now everything is ok.

EDIT: it may take some time (2 1/2 hours for me) and also it works without clean installing it

@pyrates999
Copy link

Despite the above powershell commands executing successfully, Windows is still blocking me from updating Windows 11, blaming ExplorerPatcher. Do you think it would be successful if I uninstalled EP, updated, and then resinstalled EP?

You always are supposed to uninstall EP before upgrading between windows 11 releases.

@ff66theone
Copy link

Yeah unfortunately Microsoft blocks updates for EP users...

@KunjanChauhan
Copy link

I just installed the latest MSFT updates followed by an auto-prompt EP update (v...67.1). Everything was fine.

The image shows which MSFT updates were installed.

image

@pyrates999
Copy link

We're referring to when you do an upgrade from 23h2 to 24h2, that is when you should uninstall EP first. Not for regular windows updates.

@ff66theone
Copy link

Yes for me 24h2 didn't even appear even though i had checked the "receive updates first" and when attempting to reset windows update it did nothing but throw me an error code after downloading the update, thats why i used an iso (to force upgrade)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Won't Fix This will not be worked on
Projects
None yet
Development

No branches or pull requests