Raccine icon indicating copy to clipboard operation
Raccine copied to clipboard

Published 20 hours ago verified publisher icon Neo23x0

Defender detects Raccine as a Trojan

Open atlantsecurity opened this issue 4 years ago • 11 comments

Capture I think this is preventing it from running at all, because vssadmin delete /all in powershell did not kill the parent process.

atlantsecurity avatar Oct 31 '20 14:10 atlantsecurity

https://www.virustotal.com/gui/file/1985c7c6930f2b58348af7f38d6015d1e0f1d3a6f5e9de762748f00c2d0d0e9f/detection

atlantsecurity avatar Oct 31 '20 14:10 atlantsecurity

After submitting the file to Defender as a FP, Defender now determines the file is clean: image

JohnLaTwC avatar Nov 01 '20 14:11 JohnLaTwC

I also made a positive mark on VT

On 1 Nov 2020, at 16:16, John Lambert [email protected] wrote:

 After submitting the file to Defender as a FP, Defender now determines the file is clean:

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

atlantsecurity avatar Nov 01 '20 14:11 atlantsecurity

With version 1.3b this issue has returned 😕

SimonZerafa avatar Nov 02 '20 19:11 SimonZerafa

What's the detection name? What's the signature (security intelligence) version?

Neo23x0 avatar Nov 02 '20 21:11 Neo23x0

In general, submitting a file with a False Positive to Defender's reporting portal will ensure a human analyst looks at it. I would include a link to this github repo (and also this page) as context when reporting: (https://www.microsoft.com/en-us/wdsi/filesubmission)

JohnLaTwC avatar Nov 02 '20 21:11 JohnLaTwC

The problem is the presence of vssadmin strings and other indicators inside the file which will always mark it as a malware in most AV engines. There has to be a way past that, but that is the reason.

atlantsecurity avatar Nov 03 '20 21:11 atlantsecurity

We should be able to move all those detections to Yara now. I wonder if that will eliminate these AV detects since they won't be in the executable anymore.

JohnLaTwC avatar Nov 03 '20 21:11 JohnLaTwC

The YARA feature won't be available on x86 platforms. The internal filters at least provide some kind of protection for these users. We could encode them base64, like malware authors do. :D

Neo23x0 avatar Nov 03 '20 23:11 Neo23x0

Hi,

Microsoft Defender is triggering on the 1.3.1b download. I can't actually download the file with Google Chrome, refuses to do so with a "Virus Detected" error.

Microsoft Defender is reporting Trojan:Win32/Woreflint.A!cl on Raccine_x86.exe and Trojan:Win32/Woreflint.A!cl on Raccine.zip when the download completes with Mozilla Firefox as the browser.

Security Intelligence version: 1.327.683.0 created on 10th November 2020

Extracting the files in the ZIP to the Raccine program folder results in multiple errors and warning on open files and files in use (Raccine is not running) that I can't be confident the files extracted and overwrote correctly.

As much as this project has great potential until these issues with false positives with Microsoft Defender can be resolved it's dead in the water. I've uninstalled for now to prevent Defender from having constant fits over the files 🤔

P.S. Windows Powershell now refuses to run once Raccine is uninstalled. The file is present but reports as missing when you runt manually from Explorer. Something in the Uninstall routine is broken, as is my Windows install now 🙁

Right. The IEFO options are NOT removed by the uninstaller. The Uninstaller is broken quite badly.

SimonZerafa avatar Nov 10 '20 21:11 SimonZerafa

I don't think that the uninstaller is broken. The only thing that changes on your system and can be reverted easily are the registry patches.

You just have to run the file raccine-reg-patch-uninstall.reg manually, if everything else fails. (due to an Antivirus running amok)

Neo23x0 avatar Dec 21 '20 16:12 Neo23x0