Trojan Detected | Real or False Positive? #3670
Comments
|
same here. I'll hold off until the dev can confirm this is a false positive. |
|
Same. So:
|
|
Windows Defender also complains |
|
Bitdefender also quarantines the update stating: |
|
Seriously? We've been over this. |
|
Same for me - Bitdefender |
|
Confirming issue with MS Defender Detected: HackTool:Win32/Patcher!MTB |
|
Same here... |
|
Also not able to update. Windows defender blocks it as saying its a virus / hacktool. |
|
quote from the release page at https://github.com/valinet/ExplorerPatcher/releases/tag/22621.3880.66.5_5094108 > [!WARNING]
You are downloading a file flagged as malware by Microsoft and very likely by other major antivirus vendors. We believe that this false flag indicates Microsoft's hatred against this software, not because this contains a virus or such.
Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:
`C:\Program Files\ExplorerPatcher`
`%APPDATA%\ExplorerPatcher`
`C:\Windows\dxgi.dll`
`C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy`
`C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy`
For Defender, you can run the following script in PowerShell as an administrator:
```ps
Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"If you are downloading from this page, please temporarily disable real-time protection or save to a folder excluded from antivirus scans. Issues related to antivirus detections will be closed immediately. Discuss about this in #3228. |
|
This is new - previous updates worked fine |
It is indeed new. MS has deemed EP dangerous and conveyed it as such to the AV world. Hence all the sudden commotion. |
|
Warning You are downloading a file flagged as malware by Microsoft and very likely by other major antivirus vendors. We believe that this false flag indicates Microsoft's hatred against this software, not because this contains a virus or such. Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:
For Defender, you can run the following script in PowerShell as an administrator: Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"If you are downloading from this page, please temporarily disable real-time protection or save to a folder excluded from antivirus scans. Issues related to antivirus detections will be closed immediately. Discuss about this in #3228. Read, everyone. I do not want to say that this is not a virus other than the reason statement above. If you are scared then stay on 65.5 (last release without detections) and freeze your OS updates. It is just the installer that is flagged -- the DLLs that carry the patches are fine. |
|
@Menno5 So 65.5 just got flagged as dangerous today by Kaspersky? |
Sorry, I was confused here. Kaspersky started whining when trying to update within EP and also when downloading it manually. But that's of course for the 66.5 version. |
|
@hpchavaz Add the folders mentioned into exclusions. You will never have a luck with the "Allow on device" button. |
|
I am making a new PowerShell-based online installer now so that what it does should be more transparent. And most importantly it shouldn't do various of stuff just by opening it which is what a malware usually does. |
|
I ran the above script in PowerShell as an administrator. All is working as expected. Thank you. |
|
I am getting this error when trying to run in power shell (as administrator): |
|
@alex-zadara 0x800106ba means Defender is not active. You may have another antivirus program active. |
|
Adding "c:\Users\XXuserXX\AppData\Roaming\ExplorerPatcher" in antivirus exclusion solved the issue. |
|
You should report it to MS as a "FALSE POSITIVE" and ask them to justify their classification of it as malware. If you don't complain to them they will continue doing it - if you do there's a chance they will stop |
|
@perdrix52 Tried, no luck. They did not give me a reason why but instead added it as malware into the "next definition update." |
Probably that means that it will be marked safe again when the next definition update is received. Edit: So no, they just flagged it? |
|
Edited my comment. |
|
I got errors trying to run the script: David |
|
Did you run PowerShell as admin? Can you screenshot the console window fully with the title bar? |
|
Running as Admin seemed to work - 66.5 now installed |
|
I've been using Kaspersky AV for many years now. And it too flagged EP as dangerous a week ago. But a few days later it was all okay again, they recognised it as being a false positive. Knowing Kaspersky, they would never do that if there would be any doubt about it. Also the rather fast drop in mentions over at VirusTotal shows this. What amazes me, are the people here that have a kind of "outrage" about all this. They know that EP is altering Windows stuff, they know that EP does things to Windows that Microsoft did not intend for Windows 11. If security is such a hot thing for them, why use EP then in the first place? I just don't get that. Personally, I will keep on using EP as long as possible. I'm using it without the exception rules and it all just works. It all comes down to choice: if you don't trust it, uninstall EP and move on. If you are having doubts, keep an eye out for what's happening. Or , like me, realise this can always happen with these kind of programs. There are more than enough (freeware) programs that are deemed dangerous at first. Heck, I have 3D Fractal software that suddenly was a virus. But those were not actively prosecuted by Microsoft, so those were flagged as okay rather quickly. @valinet |
I base that on experience of having worked for a number of security companies who issued certificates - none would revoke a certificate based on the say so of a third party without extensive investigation including contact with the certificate holder. |
|
Yeah, I was replying to your "Not really likely" in regards to this:
That could definitely still happen and probably will.
This I am not arguing against. Yeah, it may be and probably is so. But it is beyond the point. Again, we have seen signed software being flagged by AVs anyway, System Informer (or Process Hacker, its true name before a similar saga to what is going on here happened on their forums as well) being an example. That's what I am saying.
Anyway, considering this, how should I approach obtaining an EV certificate? Do you have any recommendation as to one that could actually help here (I heard some CAs are more preferred than others to tools like SmartScreen or Defender)? It would be used both for EP and for obtaining Microsoft signature on the drivers hosted in various other projects here (so that's why I think an EV cert is needed). Any pointers, or maybe more than that? Thanks. |
|
Regarding SignPath, I am citing from their terms and conditions. First of all, I think these general terms we have to look at: Conditions for free OSS SignPath.io subscriptions
So, already an X. We move on:
Basically, there are A TON of conditions, I won't enumerate each and every one of them, needless to say, yeah, no go if you do not agree with them. But it is understandable, and still, at least they try to provide some solution, so I can only appreciate that.
This I agree the most. The CA regime is just a cash machine mostly: it is centered on revenue and creating a reunion of a few bodies which can discretionary tell everyone what is allowed and what not. Far from decentralized, far from inclusive to everyone, as shown. Far from mostly every noble principle in this world... Thank God for Let's Encrypt, at least. So yeah, SignPath doesn't seem like an option to me. I'd still favor an EV certificate, due to its versatility at least. We have a legal entity here, that is not a problem, it has fiscal history of at least 5 years, it's active in the business, so yeah... how to go about that? Will also look into Azure Trusted Signing. |
|
Looked a bit into Azure Trusted Signing: Yeah, not a good start. Besides no straightforward tutorial on how to integrate with GitHub's CI (it's not as if GitHub was owned by Microsoft too), yeah, I get the feeling this is there so why say they have something, but it is so complicated to use that you might as well give up in the process. I mean, has Microsoft ever set up a web server. Have they seen how Let's Encrypt does it? They give the feeling they want to replicate that when it comes to software distribution on Windows, but besides that... it has nothing to do with the straightforwardness and simplicity of the former - typical Microsoft I guess. Plus, how lame it is to use some Microsoft tool just for the sole purpose of fighting yet another Microsoft tool - all while wasting your own time, because why not. We've all ready gone through fixing what they break with this project ironically, why do we need to endure even more from them this time??? Plus:
Bummer, as expected though. I guess another testament to their commitment to openness, as they state: "Trusted Signing is part of the Microsoft commitment to an open, inclusive, and secure ecosystem." right on the front page. Big words that sound good, little actual actions in practice, the customary outcomes nowadays. Oh, well... Also, $9.99 a month at least no matter you sign anything or not because... why not another subscription, right? |
|
Recommendations for cert provider - sadly I'm a bit out of date here. I know that Certum (who was the last last free cert provider) has stopped doing free certificates. I'm pretty sure they now offer an open source signing cert of €69 (I don't think their cheaper options work for you). Take a look at https://shop.certum.eu/open-source-code-signing.html |
|
To me ExplorerPatcher being specifically flagged by Microsoft is a badge of honor, they're trying to stop what fixes their half-functioning OS. I find it dumb that people are blindly trusting Microsoft instead of doing the research or building it themselves. Big thanks to everyone maintaining this project, sorry y'all had to deal with the drama. |
|
I think that we all agree that the MS Defender is incorrectly flagging the latest versions as a virus. Wrapping it with a Cert won't change that, a Cert only can serve as a way to automatically verify that the file that we download to our computer hasn't been tampered with (instead of having to manually check hashes).
I'm only begging to remove the current advice and NOT tell anyone to disable their antivirus. |
Interesting, although yeah, another condition from a cert provider is for them to provide some sort of cloud supported HSM. A USB key to be plugged into a PC doesn't really cut it. I mean, ideally, the CI/CD build recipe could be updated to connect to the cloud HSM and get the binary signed. That's the only realistic way I see it. I have looked at this in the past, believe me, it's more complicated than it needs to be, that's why I gave up, too much hassle and nothing really in return. With a physical HSM, a so-so solution would be to host a signing server myself on some on-prem infrastructure where I plug the USB device into. But that opens a whole vector of vulnerabilities, since I have to take care to secure it and so on, when others specialized in this sort of stuff could do it (i.e. I do not want to take on my liability that I can easily avoid by not bothering). Plus, I am sure doing that scenario is kind of against their ToS. So all I am left is manually signing the releases, but to me, this defeats the whole promise and purpose of the automated CI/CD. Even if it weren't so, manually clicking a 'Sign' button on each release is an unnecesary process, and I do not know why most keep insisting with this sort of thing - I have set up the build script, yes, I am sure I want it to also sign the executables, I trust the dev env there, so why bother me on each and every time. Security via annoying users is not security, it's just an annoyance. But maybe they support some form of cloud based HSM, I will look around their site.
No, again, it doesn't do that. I can still temper with the file and just sign it, I have explained this a million times. A cert does nothing in this scenario. It's just some believe it stops Defender or other products from flagging EP, that's all. I want to be clear about that. Let's stop spreading this misinformation. Digital signing here is useless from a trust point of view. Digital signing only helps when you a resource is transferred over an unsecured channel. That's it. It helps the receiving party verify the transferred resource originates from the expected party, provided they share a common base knowledge (which in this case is the trusted root certification authority store in the OS). That's it, really. It doesn't tell you whether the resource is exactly what you expect, only that it is from who you expect. For the former, you still need to validate checksums, for example. And for the latter, a cert is not needed here, the goal is already met by the existing infrastructure, I explain again:
So, when the file gets to your PC, provided you trust GitHub, and verify the release against the file in the artifacts, not only you are guaranteed the file is from us, ExplorerPatcher, which is what the cert does, but you are also guaranteed that the file is what you asked for, and not some modified file that we instead signed and uploaded in place of the original file. That's why I say, signing the executable is utterly redundant in this scenario. Sure, if you then want to send the file to others in your local network over HTTP, let's say, then yeah, depending on your network config, the traffic might get tampered and the file changed. That's why you can send the checksum over. But that can be tampered too. And from there, you start developing a whole host of solution to address your problem. But it is your problem, what you do afterwards with the file is your choice and subsequent problem - I do not get why it has to be EP's problem. For what is worth, you or anyone want it signed, get yourself a cert (or issue yourself one, act as a CA on your managed PCs, whatever) and sign it and from there you benefit of the few benefits that come with signing for your own use case. But tl;dr signing the app in this scenario brings no security benefits when it comes to the delivery of the executable from us (and not really us, GitHub's build infra, which we CANNOT touch) to you. None. It's just a supposed magic pill that some think will shut off Defender and its peers. If it weren't for that, no one really would have wanted that because... yeah, im the current context, it's useless.
I have made submissions with the latest EP release here for the time being, despite some people's impression that we do not give a shit or are too obtuse or whatever non-sense I have had the pleasure to read in these threads throughout the years.
Isn't that implicit? People need to be told that code in a git repo should be... compiled? Pardon me, but this is a developer's site first and foremost. And I never said not to do that. At every opportunity I encouraged people to do so. Not only that, I have made Why is "disable you AV" such a tabu, just because the higher powers deemed it 'bad'? I told you, I run without AV on all my PCs for years now, and all this has done is spare me from taking active part in these kinds of sagas, like here, and as reported elsewhere, like the laptop suddenly going to 100% CPU for no reason because Defender decided to do some non-sense or entered a loop it doesn't want to get out of and so on... Demand the freedom to make informed choices, then educate yourself and make informed choices. You know, AVs are hardly the only thing protecting the modern OS. If it were, we would be in deep shit today. Luckily, more robust mechanisms that make it redundant tbh, imo, are already in place. If you ask me, AV nowadays is just a relic, but yeah, nothing against whoever uses them, whatever works best for you, but do not complain to me when something from a 3rd party goes nuts and does not work as advertised... Complain to that 3rd party... It's strange to me why me, from the position of publishing the source code and ensuring I have an automated, untampered build env, it's me that I have to go though hoops to reason with some AV vendor that just comes, labels me 'bitch' and provides no actual proof for such statements. You know, in real life yo ucan get sued for this, it's called calumny.
Where am I telling people to do that? I think the release page makes mentions of how to add exceptions for paths where EP is located. What is bad in that? Please show me exactly what you want removed. |
|
If you tamper your own stuff and sign it - that's not a valid test of digital signature - because YOU have the private key so you can sign anything - that's not the issue. The issue is the certification says a) that YOU signed it, and b) no-one else has tampered it. |
We are not testing how digital signatures work here. I believe what needed to be said has been said, explained and outlined more than reasonably. As stated, I will now shit off these forums for an indefinite period as a cooldown measure as we figure out the best course of action for the situation we are in. We will keep everyone updated here and via Discord about our decisions and updates. Again, thanks again to everyone that contributed with constructive feedback and support. |
|
Thats not what I meant - I meant that DS doesn't cover malware that is signed by the cert owner |
|
Latest updates: Despite not really wanting myself to do so, as I do not see any value in doing it, I have submitted the latest https://www.microsoft.com/en-us/wdsi/submission/5ced98e6-c350-4ee8-b9d0-45de5ad1df3c My original description of the file provided via the submission form:
Here's the reply they gave via the portal:
Tbh, as I expected: a bot-like reply, no actual useful info or way forward. Unregulated corporations at their finest. I maintain my opinion as to them using the AV as a political instrument, I have yet another argument for this at the moment. PS: We have retracted on the previous decision and will keep the forums here open. Sorry for the mishap. |
|
Thanks for re-enabling the comments (and for a fantastic piece of software of course!) I think the MS flagging EP, while deliberate, might not be motivated personally or 'politically', but rather by simply wanting to play it on the safer side. Considering EP users know that:
Please consider the scenario by which the backdoor was slipped into linux xz/liblzma library. Now, having this in mind... I noticed a new contributor to the EP. I also noticed that ep_setup.exe increased in size from 1.25 MB to 10.1 MB recently. I'm not saying there's anything wrong with it. I'm saying that since I don't have the expertise/resources to verify that, and seeing some warning flags, I get more reluctant to install it (or exclude it from my AV). I think the same thinking might have urged Microsoft to flag it as 'bad' to err on the side of safety. Just wanted to share my perspective. |
I am familiar with the xz backdoor. I have read your referenced article, and the references there. The topic is indeed very interesting, with a ton of opinions, some genuine and some interest driven imo. I also appreciate and understand your point of view. But it is just that up to now, your point of view. My problem is with the lack of communication with Microsoft, despite our efforts to facilitate a dialogue here. I understand, you say that maybe Defender blocks ExplorerPatcher just because if we were to somehow fuck something up, intentionally or unintentionally, when pushed out the update will fuck a bunch of people. But that could happen with any other product out there, used on a daily basis, by far more people than EP. Take Chrome for example, there are thousands of contributions to Chromium. Is that soon to follow? Probably not. That's why I feel it's just bullying the little guys that somehow disturb their business interest; they didn't seem to have a problem signing a driver which 100% of the time immediately crashed every piece of computer it was installed onto. Again, questions no one asks, because few actually understand what goes into that. All of us are forced to go though this non-sense of having drivers signed by Microsoft if we want to give them to others, yet, not even for the "big dogs" at least, they didn't seem to care doing a manual, superficial, review where they actually deploy the piece of code before signing it, and see how it badly misbehaves. If they are not doing even that, why say it is from a security perspective, when it looks like it is not...? To think about how CrowdStrike also missed the mark and couldn't stop the deployment up after seeing it crashes every computer, to me it looked like no one bothered to do any testing. Idk, I don't think most people expect that Defender makes its decisions after some actual evidence, not on the logic that "better block this because if it were to be bad, it would cause a lot of havoc". Especially since this OS component cannot be, officially at least, disabled on most Windows installs - so maybe people expect it to take decisions on actual evidence, or reasonable heuristics? Or at the very minimum, explain a measure it takes. I haven't seen that. Okay, they say EP is malicious, but never have I or anyone else been given an official explanation, in non-bot language, from Microsoft, as to why is that. Latest case in point today, above. That's my problem. At least what they expect from us to mitigate. That we will do or are actually able to, that remains to be seen (for example, I cannot summon 20 vetted maintainers out of the blue just now). I strongly believe in each and everyone's right to run whatever software they want on the CPUs they use (so PCs, phones and so on). With this, obviously comes the responsibility of deciding for yourself whether to run something or not.
About the increase in the installer size, it's simple, if you check the commit history: because Microsoft keeps removing system files from the OS which are needed for various features (for example, |
How do I find that script? Is it also good to uninstall the existing installation of EP? |
|
It hasn't been released yet. |
Sorry, I thought it was, since Dave in the subsequent comment said he ran that script (and had some issues). Thanks |
The idea here was that it made it easier for users to get going. You can't do much either, or at least couldn't back when the idea with the original installer came. Many programs just install, without asking anything after executing its installer, Chrome for example. |
|
Latest version of Microsoft Defender no longer considers ep_setup.exe as a virus, ep_weather_host_stub.dll is still reported as a virus |
|
same here, Win11 McAfee trashed it away :( |
|
Then you need to exclude the same directories and files in McAfee that you would in the powershell script for windows defender. |
|
hoping this is a useful contribution.. however, i got it going by building it myself. kinda held my breath looking at the newly built installer not being whisked away. anyway, i was able to run it and am now on the newest version. fwiw, i'm on the latest vs2022 and cmake 3.31.0-rc1, and built everything in release mode. hope this gives some folks a path. |
|
If this is a work computer, read this: https://github.com/valinet/ExplorerPatcher/wiki/ExplorerPatcher's-taskbar-implementation |
|
Hey @valinet - been reading your replies here. Thank you so much for all your time and efforts. I'd like to ask something here, but please don't take this as I'm someone who doesn't trust the project (I've even donated you not so long ago, and after WD started flagging this). In this page, it's mentioned that:
Could you please explain why the source code can't be shared? What "legal reasons"? I was trying to find some explanation for this, but I couldn't find anywhere. I know you said in this thread:
The thing is that even if it's an "optional component", it's something that is being downloaded into our machines, and could be executed without our consent. I'm not saying that's what happens, or that that specific code is malicious, but I also don't feel comfortable having a component that is not open sourced. Many thanks!! |
The code was reverse engineered from their closed source Windows 10 taskbar code. If we open source this, we risk getting a DMCA. The code will not run until you select Windows 10 (ExplorerPatcher) taskbar style. in the Taskbar section of EP's Properties window. As much as I want to open source this thing for the knowledge of everyone, the fact still stands. |
|
Ah, makes total sense! Thank you very much for the explanation. 👍🏻 |
|
I am also uncomfortable with running closed source programs made by an individual who I do not know well. I always put the binary in IDA or something to see if it's legit or something else. Don't worry, you're not alone. |
and others
It's the first time I've seen this app as a trojan. Any thoughts?
https://www.virustotal.com/gui/file/1c4e1847c722db18d58216c43aa40ad87c8a38aa6196e69d55c0687b8506bf94/details
The text was updated successfully, but these errors were encountered: