erebe
Windows Defender flags newest wstunnel.exe as trojan
Hello,
I was upgrading wstunnel from the 7.9.2 version to the 9.2.2 version. For client side, I downloaded wstunnel_9.2.2_windows_amd64.tar.gz for my Windows 10 machine. Immediately after unzipping the tar.gz file, Windows Defender isolated wstunnel.exe and flagged it as Trojan:Win32/Bearfoos.A!ml with a threat level of Severe.
I have, of course, overridden the antivirus's verdict and allowed the program. But having never received this warning while using the 7.9.2 version or the earlier Haskell versions, I think I should raise the issue to your attention.
And please, for the peace of mind of this ignorant user, the newest release is not really a trojan, right?
Hello,
Thanks for letting me know. I can assure you the latest release is not a trojan, so be at peace.
Would you mind trying previous release and telling me if windows still flag it as trojan https://github.com/erebe/wstunnel/releases/tag/v9.2.1 ?
In the latest release, i stripped debug and symbols information, to make binary smaller, maybe it is that it does not like
let me know !
I can assure you the latest release is not a trojan
That's good to know. Thank you.
Would you mind trying previous release and telling me if windows still flag it as trojan https://github.com/erebe/wstunnel/releases/tag/v9.2.1 ?
Windows Defender on my machine does not flag the 9.2.1 version as trojan. But since I allowed the 9.2.2 version, I'm not entirely sure if the antivirus just 'learned' not to flag similar programs.
Ok, let's see if other people complains about it. I am letting the issue open (I tried on a Windows 7, and no warning)
Hi back,
In the end you were right, I tried on the Windows 11 of my wife, and wstunnel latest version has been detected as trojan while v9.2.1 not.
I have re-set the debug symbols for windows build, and updated the artifacts of the v9.2.2 to include them.
Thanks for reporting :)
@erebe This issue happened again on v10.1.0 to latest version. Microsoft Windows flags this trojan. Can you please update?
Would you mind trying this binary and let me know ?
https://github.com/erebe/wstunnel/releases/download/v10.1.8/wstunnel_10.1.8_windows_amd64_obfuscated.exe
Hey @erebe
I attempted to install v10.1.8 using Scoop and it was flagged as trojan by Windows Security:
then, I used above given link to download wstunnel_10.1.8_windows_amd64_obfuscated.exe also, and it is also getting detected as trojan:
Let me know if you want me to try anything additional.
In the meantime, it seams a manually compiled version of wstunnel (10.1.8 windows amd64) does not trigger Windows Defender.
- Install Rust with default options via https://www.rust-lang.org/tools/install
- Install git with default options via https://git-scm.com/downloads/win
- Inside a Command Prompt:
cd %TMP% && rmdir /s /q wstunnel && git clone --depth 1 https://github.com/erebe/wstunnel.git && cd wstunnel
cargo build --release --package wstunnel-cli
copy target\release\wstunnel.exe %LOCALAPPDATA%\Microsoft\WindowsApps
cd %USERPROFILE%
wstunnel --version
In the meantime, it seams a manually compiled version of wstunnel (10.1.8 windows amd64) does not trigger Windows Defender.
- Install Rust with default options via https://www.rust-lang.org/tools/install
- Install git with default options via https://git-scm.com/downloads/win
- Inside a Command Prompt:
cd %TMP% && rmdir /s /q wstunnel && git clone --depth 1 https://github.com/erebe/wstunnel.git && cd wstunnel cargo build --release --package wstunnel-cli copy target\release\wstunnel.exe %LOCALAPPDATA%\Microsoft\WindowsApps cd %USERPROFILE% wstunnel --version
Followed these steps and the resulting wstunnel.exe no longer gets flagged as a Trojan on VirusTotal.com. However, AliCloud / Acronis (Static ML) still detects that it is wstunnel. It classifies it as "Proxytool:Multi/WSTunnel".
Version 10.1.10 gets flagged as Trojan and Chrome does not even allow the zip to download from the releases page.
If I install it with scoop, the exe is detected as Trojan:Win32/Wacatac.A!ml and removed ("schwerwiegend" - i think that would be "critical" in english)
The 10.1.9 is not removed ("niedrig" -low) but it detects it as potentially unwanted program PUA:Win32/Puwaders.C!ml
This issue happened again on v10.1.11 to latest version. AVG flags this trojan.
I can't do much about it, and I don't have the time to fight against. Your best alternative is to clone the project and do a custom build to change the signature of the binary.
You should give it a try, it is really easy build rust project
https://github.com/erebe/wstunnel?tab=readme-ov-file#how-to-build-
I think the problem is that it has the possibility to open a server and a open loop hole to the local network - which can be exploited by trojans somehow to gain access to the local network. and therefore the scanners tag it because it can be used by trojans. For my use case, the server part is on a linux machine and several client machines on Windows, MacOS and Linux access it.
Would it be feasable to offer a "client only" version of wstunnel as well?
I can't do much about it, and I don't have the time to fight against. Your best alternative is to clone the project and do a custom build to change the signature of the binary.
You should give it a try, it is really easy build rust project
https://github.com/erebe/wstunnel?tab=readme-ov-file#how-to-build-
Romain is right. Your own custom build is your best bet. Ideally make some modifications to the code. E.g. extra checks or take out the server part / option.
Here's what I think is happening:
- Trojan / Malware developers are well aware of wstunnel because it is awsome! (Thanks Romain). They actually use it (as is) and make it part of their "product".
- Malware scanner developers are also well aware of that. They pull the binaries from this GitHub repo to add the signatures to their databases. So, any binary pulled from here will get flagged / blocked.
I can't do much about it, and I don't have the time to fight against. Your best alternative is to clone the project and do a custom build to change the signature of the binary.
You should give it a try, it is really easy build rust project
https://github.com/erebe/wstunnel?tab=readme-ov-file#how-to-build-
Hey there! I'm not very confident in this area as my foundation is quite weak. Would you mind providing a more detailed tutorial on how to build this? Thank you so much!
Hey there! I'm not very confident in this area as my foundation is quite weak. Would you mind providing a more detailed tutorial on how to build this? Thank you so much!
- Install Rust - follow official instructions, or download and run this.
- Install Git for Windows - follow official instructions, or download and run this.
- Install CMake - follow official instructions, or download and run this
- Open Git Bash app
- Create the directory to put wstunnel sources in. Say, you want it to be in
C:\Work\wstunnel, so you need to run:mkdir -p /c/Work/wstunnel && cd /c/Work/wstunnel(use right click to paste if needed) - Clone the repo:
git clone https://github.com/erebe/wstunnel . - Run
cargo build --package wstunnel-cli --release(ignore "lint expectation is unfulfilled" warnings) - In about 2-3 minutes the build will complete and you will be a proud owner of your own copy of wstunnel, ~~packed with exclusive trojans~~. You can find it in
C:\Work\wstunnel\target\release\wstunnel.exe(or whatever directory you chose). Either add this folder to PATH environment variable, or move thewstunnel.exefile somewhere you'd like more. You will only needwstunnel.exefile, the project directory can be safely deleted.
Hey there! I'm not very confident in this area as my foundation is quite weak. Would you mind providing a more detailed tutorial on how to build this? Thank you so much!
- Install Rust - follow official instructions, or download and run this.
- Install Git for Windows - follow official instructions, or download and run this.
- Install CMake - follow official instructions, or download and run this
- Open Git Bash app
- Create the directory to put wstunnel sources in. Say, you want it to be in
C:\Work\wstunnel, so you need to run:mkdir -p /c/Work/wstunnel && cd /c/Work/wstunnel(use right click to paste if needed)- Clone the repo:
git clone https://github.com/erebe/wstunnel .- Run
cargo build --package wstunnel-cli --release(ignore "lint expectation is unfulfilled" warnings)- In about 2-3 minutes the build will complete and you will be a proud owner of your own copy of wstunnel, ~packed with exclusive trojans~. You can find it in
C:\Work\wstunnel\target\release\wstunnel.exe(or whatever directory you chose). Either add this folder to PATH environment variable, or move thewstunnel.exefile somewhere you'd like more. You will only needwstunnel.exefile, the project directory can be safely deleted.
Thank you very much!
Any chances to build .exe under Linux? Tried via build container:
docker run -it --rm -v "$(pwd)/wstunnel":/root --network host rust:slim-trixie bash
# inside of container:
apt update
apt install -y cmake
cd /root
rustup target add x86_64-pc-windows-msvc
cargo install xwin
xwin --accept-license splat --output ~/.xwin
cat << EOF >> .cargo/config.toml
[target.x86_64-pc-windows-msvc]
linker = "lld"
rustflags = [
"-Lnative=/root/.xwin/crt/lib/x86_64",
"-Lnative=/root/.xwin/sdk/lib/um/x86_64",
"-Lnative=/root/.xwin/sdk/lib/ucrt/x86_64",
]
EOF
cargo build --release --package wstunnel-cli --target x86_64-pc-windows-msvc
But it gives an error:
couldn't determine visual studio generator
