clickhouse-odbc icon indicating copy to clipboard operation
clickhouse-odbc copied to clipboard
verified publisher icon ClickHouse

Unable to download latest driver release 1.4.2.20250618 as it detected as containing a virus by Windows Defender

Open linux-wizard opened this issue 5 months ago • 5 comments

Describe the bug

When trying to download the latest ODBC release (1.4.2.20250618) driver for Windows, the download is blocked in Microsoft Edge and reported as containing a virus

Steps to reproduce

  1. Using Windows Server 2022 Datacenter 21H2
  2. Microsoft Edge 137.0.3296.93 (Official build) (64-bit)
  3. Download https://github.com/ClickHouse/clickhouse-odbc/releases/download/1.4.2.20250618/clickhouse-odbc-windows-x64-Release.zip
  4. Download is blocked with the message: Couldn't download - Virus detected

This doesn't happen with previous release 1.4.1.20250523

Expected behaviour

Download is successful

Code example

N/A

Image

Error log

N/A

Query log

N/A

Configuration

Environment

  • Driver version: 1.4.2.20250618
  • OS: Windows Server 2022 Datacenter 21H2
  • ODBC Driver manager:

ClickHouse server

Not relevant

linux-wizard avatar Jun 27 '25 10:06 linux-wizard

Treat detected as Trojan:Win32/Sonbokli.A!cl

Image Image

linux-wizard avatar Jun 27 '25 10:06 linux-wizard

looks weird

virustotal show nothing https://www.virustotal.com/gui/url/79bd8a40bce1efe713033400eed79b82e37357d0192bb867f0220a1d716855f4?nocache=1

Slach avatar Jun 27 '25 11:06 Slach

This is very strange. We have tested the file using various online and offline scanners, and nothing has been detected. The entire process is very transparent: releases are built in GitHub Actions using GitHub-hosted runners. The build process is straightforward, and all additional software is installed only from official sources. Nothing is installed before the artifact is uploaded—only the official GitHub Actions runner image is used. Furthermore, the file hashes on the release pages match those from the build logs.

That said, I am quite confused myself. I have a strong feeling that this is a false positive from Windows Defender on Microsoft Server. However we need to investigate this more.

My initial thought was to delete the release, but I also want to ensure that everything remains open and transparent. We have marked the release as broken and strongly recommend not installing it at this time. Any ideas or feedback from our users are always welcome.

For reference:

  • Release: https://github.com/ClickHouse/clickhouse-odbc/releases/tag/1.4.2.20250618 — built in GitHub Actions using a GitHub runner, image https://github.com/actions/runner-images/blob/win25/20250609.2/images/windows/Windows2025-Readme.md
  • Build logs: https://github.com/ClickHouse/clickhouse-odbc/actions/runs/15730380793/job/44329913047
  • File hashes in the build logs and on the release page for version 1.4.2.20250618: 345ff0edfda7304d6474a6f26d800ba4232c695c89e91361c3fc63435b18ae7d

🙏 Special thanks to @linux-wizard for promptly reporting the issue!

slabko avatar Jun 28 '25 10:06 slabko

I will spawn another clean Windows instance running Windows in AWS and try again. I should have time to do this next week.

linux-wizard avatar Jun 28 '25 11:06 linux-wizard

I submitted the file to Microsoft for malware analysis at https://www.microsoft.com/en-us/wdsi/filesubmission. They confirmed that the file is clean and said they will update Microsoft Defender rules to reflect this within 12 hours.

I believe it's safe to remove the "broken" label from the release.

slabko avatar Jun 30 '25 15:06 slabko

Closing the ticket, as the Windows Defender update should now be rolling out. Feel free to reopen it if the issue persists.

slabko avatar Jul 01 '25 18:07 slabko

@slabko Thank you for your support and prompt actions. I will try to to test this ASAP

linux-wizard avatar Jul 07 '25 12:07 linux-wizard