Aldaviva
Windows antivirus reports an issue with version 1.4.0
windows server 2019
Windows antivirus reports an issue with version 1.4.0
Hi @ilanni2460,
This is a false positive. I don't know why some antivirus programs suddenly started detecting random problems with this program.
As always, you can feel free to inspect the source code and compile it yourself with Visual Studio 2022 Community or the .NET Framework Developer Pack 4.7.2 or later:
git clone "https://github.com/Aldaviva/Fail2Ban4Win.git"
cd .\Fail2Ban4Win\Fail2Ban4Win\
msbuild -t:build -restore -p:Configuration=Release -p:RestoreLockedMode=true
# output is built in .\bin\Release\
- I have submitted a false positive report to Microsoft.
- Submitted follow-up with Defender logs because they incorrectly claimed it was not being detected.
Hi Ben,
Thanks for making Fail2Ban4Win.
There are now many more antimalware engines flagging Fail2Ban4Win 1.4.0 as malware.
I did some triaging to try to see what's getting flagged. I suspected that the usage of ILRepacker was the problem, but it appears not to be the case. Even artifacts built from source are being flagged by numerous AM engines on VirusTotal. I took the artifacts built from this repository's Actions, as well as those that I built in a forked clone, and almost all builds with recent source code are being flagged. The newest version that isn't flagged is 74cb52fbb6dbbc279ee16a0012aacbd330e70549 -- in other words, released version 1.3.2. Something about the changes in this commit:
commit 91709d6a666f5f8977cb39c324bc5453ee5f3eec
Author: Ben Hutchison <[email protected]>
Date: Fri Feb 14 08:23:19 2025 -0800
#40: Add option to keep existing bans on restart/shutdown
makes all the AM software freak out badly. Unfortunately, it's a rather large change, so it's not exactly trivial to pinpoint what's causing the alert. Here's VirusTotal's report report for the Github Actions run from my tree based off of version 1.3.2. (Just MaxSecure, heuristic alert.)
The VT report for my re-build of 91709d6a666f5f8977cb39c324bc5453ee5f3eec is much more concerning. Many more AM agents are flagging it.
It's certainly possible that these reports are false-positives, but I think it's worth investigating what's going on.
Hi @jdstroy,
Thanks for taking a look at this.
Out of curiosity I make another build of the 1.4.0 tag but without repacking all the DLLs into a single EXE. The resulting ZIP had 0 detections on VirusTotal. This makes me think that there's no problem with the code in the program itself or any of the libraries it uses, one of which was new in 1.4.0.
The Microsoft Security Intelligence submission is still In Progress as of 2025-05-28.
Now that I'm a bit more alert... it looks like there are a fair number of reports about ILRepack triggering alerts throughout repositories on Github. Would it be reasonable to make releases of Fail2Ban4Win without merging the assemblies with ILRepack side-by-side with single-file releases while awaiting IPS/AV/AM vendors to resolve the reports?