strivehitboxes icon indicating copy to clipboard operation
strivehitboxes copied to clipboard

Published 20 hours ago verified publisher icon AltimorTASDK

In version 1.1.1, a Trojan horse is detected by Windows Defender.

Open HIJIKIsw opened this issue 3 years ago • 9 comments

I believe it is a false positive. I would appreciate it if you could investigate the cause. 1 2

HIJIKIsw avatar Jun 18 '21 09:06 HIJIKIsw

1.1 https://www.virustotal.com/gui/file/e5da7e841e94587da24bfacd4d3b7ea0e177b12f91bc42dc9a24daa71d08ee09/detection 1.1.1 https://www.virustotal.com/gui/file/c34cc41f218bf35bae68b7762cd1069f7edcac9ee2c1aa11d25796c6b9c27f4e/detection

Might be related to the update fetcher, although 1.1 didn't trigger Defender.

Checking the highlighted CVEs it's likely due to lack of security.

fefo-dev avatar Jun 18 '21 17:06 fefo-dev

This might simply be due to the combination of connecting to the internet and injecting a DLL. I’m not sure what else it would be. It doesn’t drop any files, it only tells the user to get the update.

AltimorTASDK avatar Jun 19 '21 20:06 AltimorTASDK

I am also having issues with the latest release.

explorer_2021-06-25_22-50-11

YoJimbo0321 avatar Jun 26 '21 05:06 YoJimbo0321

I submitted the file to Microsoft and the issue should now be resolved.

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

Virustotal says the injector matches a malicious TLS client fingerprint, so it’s possible that cpp-httplib was used by some malware and its TLS behavior got flagged.

AltimorTASDK avatar Jul 15 '21 19:07 AltimorTASDK

Thanks for the update! In case anyone else is still having issues, I found that, in addition to following the above steps to update my malware definitions, I also had to clear my Windows Defender Protection History.

This can be verified by navigating to the Protection History dashboard (Windows Security > Virus & threat protection > Protection history). The .zip file was still marked as being blocked from downloading after previously having been mistaken for malware.

To clear the blocked file history, I had to delete the files in the folder located at:

...\ProgramData\Microsoft\Windows Defender\Scans\History\Service

After that, I was finally able to download strivehitboxes.zip without issue.

EDIT: After unzipping the file and attempting to run it, the file was once again quarantined by Windows Defender despite having updated my malware definitions. I had to choose to manually restore the file at the location in the attached screenshot, and it appears to finally work. ApplicationFrameHost_2021-07-20_17-28-01

YoJimbo0321 avatar Jul 21 '21 00:07 YoJimbo0321

Looks like it's showing up under a different detection name anyways. I'll replace cpp-httplib and see if it makes a difference.

AltimorTASDK avatar Jul 22 '21 00:07 AltimorTASDK

I'm sure you're aware at this point but the latest version keeps flip-flopping between being trusted and being considered malware

Hope you're able to sort it out!

GGelatin avatar Aug 09 '21 03:08 GGelatin

Yeah... Unfortunately striveinjector.exe started refusing to open, and new downloads no longer work for me again.

YoJimbo0321 avatar Aug 28 '21 22:08 YoJimbo0321

I can't use it either, and defender doesn't let me exclude it cos it says it's a trojan :2 image

Saishy avatar Apr 09 '23 18:04 Saishy