Klocman
Antivirus flagging latest BCU release as Trojan:Script/Wacatac.H!ml
i'm encountering an issue where my antivirus is flagging the installer as a trojan. its my first time installing the software after downloading the latest release from github. can someone please confirm if this is just a false positive or why this is happening?
Can confirm the same behavior. On Virustotal i get "15/72 security vendors flagged this file as malicious".
It's an unfortunate effect of BCU no longer being signed (see the latest release notes and more specifically #737 for more details). I had the exact same issue before I started signing it. AV vendors may say that being signed doesn't affect virus detections but it is very obviously false, signed executables are given a lot of leeway.
Unfortunately I can't do much about it, a bunch of users will have to flag it as a false detection until it is no longer flagged. It seems like the portable version is the most affected because it includes the .NET runtime which is also used by malware (and of course by anything else that runs on .NET, but all it takes is for one malware to use a common file to get everything else that uses that file also flagged as malware).
I don't know if this is related, but the download for BCUninstaller_5.9.0_setup.exe at dAppCDN (linked from https://www.bcuninstaller.com/) reports an incorrect checksum. The sha256 should start 1983..., but the dAppCDN file hash starts fce6... Similarly, when I try to update/install using UnigetUI the install fails claiming the "Installer hash does not match". The copy of the file available on this github does report the correct checksum as expected. Perhaps there are some corrupt versions of the installer floating around on different mirrors?
I don't know if this is related, but the download for BCUninstaller_5.9.0_setup.exe at dAppCDN
It's not related but thanks for letting me know. I replaced the setup shortly after release to fix a bug, but it seems like there's a bug on dAppCDN where if you delete and then reupload a file with the same name, it resurrects the old file rather than update it. The version on dAppCDN should now be correct.
@Klocman Are you planning to renew the signature certificate? Maybe slowly rewrite the application so this signature spoofing exploit is no longer possible?
I see the installers are heavily flagged on VirusTotal, but I find that WinGet is still distributing the 5.9 version despite it's step in the WinGet pipeline to verify there's no malware.
That is correct.
It will pass WinGet validation if there is no malware, in this case, there is no malware in Bulk Crap Uninstaller because most, if not all, of the flags in VirusTotal are AI/ML which are false positives which is why the latest version of Bulk Crap Uninstaller has not been removed in WinGet yet.
Title of the GitHub issue has "Trojan:Script/Wacatac.H!ml" where the "!ml" indicates that Microsoft Defender recognized this threat as machine learning (ML) heuristics.
WinGet uses ScanX during validation which is a proprietary scanning technology similar to VirusTotal which does static and dynamic analysis as well as checking if the code signing certificate was used to sign and distribute malware or not.
Interesting. It explains what some of the tripped detector were saying in detail. Someone should notify the tripped vendors to correct the learned heuristics and flag BCUninstaller as safe.
Still I think the owner of this project should consider renewing the cert as soon as possible if more of this trips in future releases.
I just recommend this program to a friend and they advised me that the portable 5.9 version also gets detected as a virus, specifically gen:variant.fragtor:870497. Came here to see if others were having the same issue, not sure if this has anything to do with what's mentioned above. Also if I am reading the changes correctly there shouldn't be a portable 5.9, is that correct?
I just recommend this program to a friend and they advised me that the portable 5.9 version also gets detected as a virus, specifically gen:variant.fragtor:870497. Came here to see if others were having the same issue, not sure if this has anything to do with what's mentioned above. Also if I am reading the changes correctly there shouldn't be a portable 5.9, is that correct?
BitDefenter have the same flag " is infected with Gen:Variant.Fragtor.870497. Bitdefender blocked this item, your device is safe. View attack timelineMove to quarantine"
It's an unfortunate effect of BCU no longer being signed (see the latest release notes and more specifically #737 for more details). I had the exact same issue before I started signing it. AV vendors may say that being signed doesn't affect virus detections but it is very obviously false, signed executables are given a lot of leeway.
Unfortunately I can't do much about it, a bunch of users will have to flag it as a false detection until it is no longer flagged. It seems like the portable version is the most affected because it includes the .NET runtime which is also used by malware (and of course by anything else that runs on .NET, but all it takes is for one malware to use a common file to get everything else that uses that file also flagged as malware).
Hello there,
I am not a programmer. I know there is a discussion about in the link, but I couldn't understand what is being discussed about. Basically the program is not digitally signed by the author, therefore AV engines has detected it as malware.
Is this a common false positive problem from AV engines detected in the software? So far only 3 AV detected as malware.
I uploaded the previous version of v5.8 to virustotal.com, but none of AV engines flagged the software as malicious. Except v5.9 are flagged by 3 AV engines.
Less engines detect v5.9 now because of false positive reports, also it's the worst in the full portable version. v5.8 had no detections because it was signed and even though the certificate is no longer valid it has already been whitelisted.
@Klocman I don't know much about .NET, therefore I won't be able to help you directly, but I do know some things about this malicious technique, so thought I could enlighten you.
DLL hijacking is a technique cybercriminals have used for years to evade AV detections, it is nothing new, and even affects 100s of Microsoft signed executables. Looking at the screenshot in #737, the specific method seems to be DLL side-loading/proxying, since the DLL isn't fully replaced but rather edited so the rest of the DLL stays intact.
It is highly unlikely that your certificate gets revoked because of this, especially since your project is so popular. CAs are fully aware of DLL hijacking being an issue, and if the malware being distributed through your license becomes too prominent, they wouldn't do more than temporarily revoking your certificate until you add proper solutions to prevent this.
From my understanding based on your comment, .NET automatically generates the executable file, which means you don't have any control over it. I would assume that there is an option somewhere that allows you to enable DLL validation before loading within this generated executable, but after some brief research, it doesn't seem to exist, which is honestly ridiculous. The best solution would be to manually create the initial loader executable file that checks and validates every DLL before loading.
If you wish to read more about DLL hijacking and potential solutions, I would highly recommend the following: https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows https://www.wietzebeukema.nl/blog/save-the-environment-variables https://hijacklibs.net
Best of luck
I assume this is safe then as I have this program on my Windows 10 laptop which I believe is still the signed version. There are now only 2 hits in virustotal nowadays, some odd AVs like CrowdStrike Falcon and SecurAge still haven't verified it.
