crc icon indicating copy to clipboard operation
crc copied to clipboard
verified publisher icon crc-org

Windows Defender returns false positive for CRC's admin-helper binary

Open namila007 opened this issue 3 months ago • 9 comments

CRC latest bins installed on C:\Program Files\Red Hat OpenShift Local are getting blocked by Windows Defender. First, I was attempting to install using the Podmon OpenShift plugin, but it failed. I then downloaded the latest build from mirror.openshift.com/pub/openshift-v4/clients/crc/. It is also getting flagged by Defender

Image 
crc-admin-helper-windows.exe
SHA: f6714f2b88ae5b7519cf8f7fd3076a8f6df6641a5bfe54512001ac46ea926cfe

Trojan:Win32/SuspServiceBin.A!cl

Image

Trojan:Win32/Filery.I!cl

crc.exe
MD5: 6B3273C70B3CEA25113C34F02AC903FB
SHA: 0BE0487F5F3676BE24E453D966101E6A1526D59E4B51A990F9ADCCB409991823

namila007 avatar Oct 16 '25 19:10 namila007

@namila007 Could you provide the windows version and windows defender version, this is a false positive and we need to submit a request to mark it as a such

in the meantime you can remove the quarantine from the files and should be able to use crc

anjannath avatar Oct 17 '25 06:10 anjannath

Hi @anjannath , These are the specs; Defender:-

Windows Security Application Version: 1000.29429.0.1000
Windows Security Service Version: 10.0.29429.1000-0
Antimalware Client Version: 4.18.25080.5
Engine Version: 1.1.25090.3001
Antivirus Version: 1.439.239.0
Antispyware Version: 1.439.239.0

Windows

Edition	Windows 11 Enterprise
Version	23H2
Installed on	‎6/‎20/‎2024
OS build	22631.5909
Experience	Windows Feature Experience Pack 1000.22700.1106.0

And the problem is, I can't remove the exes from quarantine because I'm using this on my company laptop, and I think due to some org policies, I can't remove them. :)

namila007 avatar Oct 17 '25 08:10 namila007

I tried to reproduce it on windows 11 (pro) and with updated Windows Defender (that comes pre-installed) it didn't flag the files in C:\Program Files\Red Hat OpenShift Local

Is this the Same Windows Defender that you are also using? what is worth knowing is, is it detecting based on the definitions that are available to all user, or some special detection only available for a paid/supported plan.

anjannath avatar Oct 17 '25 10:10 anjannath

We have the Windows Enterprise version and some Paid Defender. Even in the VirusTotal, crc-admin-helper-windows.exe is flagged as a virus.

I think it would be nice if you could sign the exe with the Red Hat cert as used in the installer.

namila007 avatar Oct 17 '25 11:10 namila007

@anjannath, any updates on this? Have you submitted a ticket to Defender?

namila007 avatar Oct 22 '25 09:10 namila007

This is not something we can resolve; there is no direct contact. Best like what we do, is to provide ac report of false positive.

and I think due to some org policies, I can't remove them. :)

Best to get your company's admin team involved to whitelist.

gbraad avatar Oct 29 '25 06:10 gbraad

@gbraad, if you can, please provide me with a report. I will discuss it with the it teams

namila007 avatar Oct 29 '25 08:10 namila007

Looking around for Trojan/SuspServiceBin.A!cl

https://community.fortinet.com/t5/Support-Forum/Forticlient-Installer-seen-as-Trojan-Win32-SuspServiceBin-A-cl/td-p/344790

you can report your self as a false positive to whitelist it:

https://www.microsoft.com/en-us/wdsi/filesubmission

albfan avatar Oct 29 '25 10:10 albfan

please provide me with a report

Not following what you mean. What kind of report are you looking for? It is your IT admin department you need to contact with a request.

Note: we are on our end doing what we can, but the heuristics are dependent on peer-review/comments and MS.

gbraad avatar Oct 30 '25 13:10 gbraad