winget-cli icon indicating copy to clipboard operation
winget-cli copied to clipboard
verified publisher icon microsoft

Antivirus threat detection - gsudo.exe

Open vblain opened this issue 2 years ago • 2 comments

Brief description of your issue

Bitdefender is detecting the update to winget as a threat, and cleaning gsudo.exe out of the installer. Message from installer "An error occurred while trying to rename a file in the destination directory: MoveFile failed; code 5. Access is denied."

%userprofile%\AppData\Local\Programs\Winget...\gsudo.exe

Error writing to registry key HCU\Software\Microsoft\Windows...\Run

RegSetValue failed; code 5. Access Denied.

This looks like winget was corrupted and someone is trying to add a self run command.

Steps to reproduce

latest self update install

Expected behavior

install without error or threat

Actual behavior

antivirus detecting threats during install

Environment

Windows Package Manager (Preview) v1.5.101-preview
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.22621.1105
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.20.101.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

User Settings: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\settings.json

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

vblain avatar Feb 06 '23 15:02 vblain

@vblain "gsudo" is a separate package and it is not a part of WinGet. That package appears to be where the detection occurred.

denelon avatar Feb 06 '23 17:02 denelon

Doing further research as to what is truly causing this. Will report back. Never had an issue before.

vblain avatar Feb 06 '23 17:02 vblain

@vblain did you figure this one out?

denelon avatar Feb 21 '23 19:02 denelon

Apologies, I was able to figure it out. The problem came from WingetUI, not Winget. It made it look like it was winget during the install but because it went through the powershell instance to do so.

vblain avatar Feb 22 '23 18:02 vblain

@marticliment just an FYI.

I'll try to remember to mention you when I see something related to https://github.com/marticliment/WingetUI.

denelon avatar Feb 22 '23 18:02 denelon

It would be perfect, so like this I can track better wingetui related issues.

Thanks!

P.D. this issue was already discussed on wingetui, and it appeared to be a false positive from gsudo

marticliment avatar Feb 22 '23 19:02 marticliment