geek-life icon indicating copy to clipboard operation
geek-life copied to clipboard

Published 20 hours ago verified publisher icon ajaxray

Windows defender detecting Trojan:Win32/Zpevdo.B!ctv

Open MarcoNovaro opened this issue 3 years ago • 8 comments

Windows defender detects the virus Trojan:Win32/Zpevdo.B!ctv in the Windows release v0.1.0 The file uploaded to VirusTotal is detected from 8 engines (some of them with "high confidence").

MarcoNovaro avatar Dec 23 '20 18:12 MarcoNovaro

Avast too

upadrian avatar Jan 18 '21 17:01 upadrian

@ajaxray: This seems like a rather serious problem. Would you please take a moment to acknowledge this?

justinmayer avatar Jan 22 '21 09:01 justinmayer

@justinmayer @MarcoNovaro @upadrian,

Thanks for reporting. I'll check it soon (InshaAllah).

ajaxray avatar Jan 25 '21 07:01 ajaxray

also hit with Trojan:Win32/Zenpack!ml by Win Def

shokkakhan avatar Jan 31 '21 05:01 shokkakhan

Mostly due to UPXing the binaries.

Robert-M-Muench avatar Nov 21 '21 20:11 Robert-M-Muench

More detections at the latest released version. Something like half of vendors. It does seem to be mostly due to UPX compression which is linked to obfuscation of course, but there's also some other behavioral analysis, most of which is totally innocuous (like reading the system time often, obviously a utility like this would need to!) but some I have more trouble understanding fully. Would be nice to have a sufficient response to this matter.

Ama1999 avatar Feb 09 '23 00:02 Ama1999

@Ama1999 @Robert-M-Muench @shokkakhan,

I didn't find anything specific that could be changed to avoid this issue confidently. If the issue is related to only the Windows platform, is it OK to avoid compression for the windows build?

Please suggest.

ajaxray avatar Feb 16 '23 11:02 ajaxray

@Ama1999 @Robert-M-Muench @shokkakhan,

I didn't find anything specific that could be changed to avoid this issue confidently. If the issue is related to only the Windows platform, is it OK to avoid compression for the windows build?

Please suggest.

I have not (yet) extensively looked through the other OS' binaries to the point I could confidently say whether or not compiling without (UPX) compression would fix the issue adequately. Certainly I'd think it strange if it didn't significantly lower a lot of the more 'threat score'-oriented AV engines. However, there may also still be some other heuristics, besides UPX comp. being assumed by many AV engines to be malicious, almost by default; that may or may not flag your solution/env as likely malicious or compromised. Really all you can do about this as far as I know, which is not a lot!, is things like: Removing vulnerabilities or potentials for exploits, seeing as those can sometimes be flagged as malicious code or make it more likely for the code to be flagged or even disqualified in some cases (I believe, if behavior can't be classified as malicious or beneficial/neutral) as for example Trojans.

Sorry I couldn't really be of (much) help!

Ama1999 avatar Feb 17 '23 23:02 Ama1999