SimpleClans Flagged as Trojan/Virus download via modrinth v2.19.2

Describe the bug When downloading via https://modrinth.com/plugin/simpleclans/version/v2.19.2

Windows defender instnatly flags as a trojan/virus

Expected behavior Not to have a trojan/virus

Screenshots unnamed

May 06 '24 09:05 TomLewis

Download the latest build from https://ci.roinujnosde.me and scan it with windows defender.

May 06 '24 10:05 RoinujNosde

that one throws up this trojan, I wonder what it thinks is a trojan in the code

May 06 '24 12:05 TomLewis

Also flagging on https://www.virustotal.com/gui/url/cb1a750f78fc220e0aa0ac2ee10775225b06a46b7122e1334997a4343a8f11b0/detection for bitdefender

May 06 '24 13:05 TomLewis

I have a SimpleClans-2.19.0 which does not get flagged, so its between 2.19.0 and 2.19.2 changes.

May 06 '24 13:05 TomLewis

For confirmation,

I scanned modrinth version and the non-built version of v2.19.2, no trojans, but when I downloaded the one from ci.roinujnosde.com chrome didn't even let me download it. Really odd.

May 06 '24 14:05 Nishikiyama

For confirmation,

I scanned modrinth version and the non-built version of v2.19.2, no trojans, but when I downloaded the one from ci.roinujnosde.com chrome didn't even let me download it. Really odd.

Doesn't chrome block all jars by default?

May 07 '24 13:05 RoinujNosde

Ive not had any other jars automatically get deleted by windows before, did you include any librarys recently that may have been compromised? Any chance your computer was comprimised and the JAR was modified when you built it, it would build seperaetly outside of Github.

I updated DiscordSRV which broke my crew chat, and im using version 2.18 at present, so went to update and got stuck at this situation.

I can try and build from source at some point and check that.

May 07 '24 13:05 TomLewis

Ive not had any other jars automatically get deleted by windows before, did you include any librarys recently that may have been compromised?

From 2.19.0 to 2.19.2, I don't think so.

Any chance your computer was comprimised and the JAR was modified when you built it, it would build seperaetly outside of Github.

The jar is built on a GitHub action, then uploaded to modrinth, devbukkit, etc

May 07 '24 13:05 RoinujNosde

For confirmation, I scanned modrinth version and the non-built version of v2.19.2, no trojans, but when I downloaded the one from ci.roinujnosde.com chrome didn't even let me download it. Really odd.

Doesn't chrome block all jars by default?

Chrome blocked the one from ci.roinujnosde.com got blocked for some reason, but not modrinth.

May 07 '24 13:05 Nishikiyama

The initial post is modrinth download getting flagged and auto removing in windows @Nishikiyama you can try right clicking and scanning with windows defender, I am using windows 10. You may be using windows 11. But 100% getting marked as a Trojan from all sources.

I'm going to have to hold off from updating until we figure out what it is, as Im worried about updating

May 07 '24 18:05 TomLewis

The initial post is modrinth download getting flagged and auto removing in windows @Nishikiyama you can try right clicking and scanning with windows defender, I am using windows 10. You may be using windows 11. But 100% getting marked as a Trojan from all sources.

I'm going to have to hold off from updating until we figure out what it is, as Im worried about updating

https://youtu.be/-YG68eaCNPM

May 07 '24 18:05 Nishikiyama

Do you think I'm lying or something 😂

Stereotypical "but it works on my machine" developer reply 😂😂😂 Literally a meme

Screenshot attached in first post.
Virus total link attached which also flags.

I can also make a video but it's not going to add anything to this post, whatever was added between the last 0.2 versions is being flagged

May 07 '24 18:05 TomLewis

Do you think I'm lying or something 😂

Stereotypical "but it works on my machine" developer reply 😂😂😂 Literally a meme

Screenshot attached in first post.

Virus total link attached which also flags.

I can also make a video but it's not going to add anything to this post, whatever was added between the last 0.2 versions is being flagged

No, what I'm saying is that it trojans on only one site for no reason. It doesn't trojan on both for either person. Stop picking a fight and being childish.

May 07 '24 18:05 Nishikiyama

literally the opposite of picking a fight I'm trying to understand why you are trying to disprove my report instead of looking into a fix and figuring out why it's happening m I literally just want to update but I feel like you are trying to gaslight me that it dousnt exist as a problem which sets off a massive red flag like something has been purposefully hidden in the code trying to avoid this report.

May 07 '24 18:05 TomLewis

submission

I've submitted this to Microsoft. Let's wait for their reply...

May 07 '24 22:05 RoinujNosde

This is happening to other plugins as well: https://www.spigotmc.org/threads/windows-defender-false-positives.639507

May 07 '24 22:05 RoinujNosde

I wonder if it's like a specific version number or string of text they are blanket searching for and that's it. Is there a way to see a detailed overview of Trojan searches and how they detect it?

May 08 '24 08:05 TomLewis

Any feedback? Or luck figuring out what causes it.

May 16 '24 14:05 TomLewis

It will probably take months for Microsoft to reply.

Anyway, this is not my fault, I will be closing this.

May 16 '24 15:05 RoinujNosde

It will probably take months for Microsoft to reply.

When I send them .exe files they have checked it really fast. 🤔 It was about 2-3 days.

May 16 '24 15:05 Tomut0