wsl-vpnkit icon indicating copy to clipboard operation
wsl-vpnkit copied to clipboard

Published 20 hours ago verified publisher icon sakai135

wsl-gvproxy.exe blocked by McAfee

Open toulousain79 opened this issue 2 years ago • 2 comments

Hello,

It is necessary to install the isc-dhcp-client package to be able to use wsl-vpnkit as a standalone script.

Also, the wsl-gvproxy.exe binary is blocked by McAfee antivirus.

Regards,

Analyzer/Detector

  • Product name: McAfee Endpoint Security
  • Product version: 10.7.0.3437
  • Feature name: Real Protect Cloud

Threat

  • Enterprise Action: Clean
  • Threat Category: Malware detected
  • Threat Event ID: 35107
  • Threat Addressed: Yes
  • Threat name: Real Protect-PENGSD5!ED852464B531
  • Threat severity: Critical
  • Threat timestamp: 9/7/2022 10:03 AM
  • Type of threat: Trojan horse

Source

  • Access to the source: 9/7/2022 10:03 AM
  • Source creation: 3/30/2022 10:52 AM
  • Source file path: C:\Windows\System32
  • Source file size: 107520
  • Source hostname: xxxxxxxxxxxxxx
  • Source Modification: 3/30/2022 10:52 AM
  • Source process name: wsl.exe
  • Source Username: xxxxxxxxxxxxxx

Target

  • Target hash: xxxxxxxxxxxxxx
  • Target host name: xxxxxxxxxxxxxx
  • Target name: wsl-gvproxy.exe
  • Target path: C:\My Program File\WSL\distros\WSL-Ubuntu-20.04\bin
  • Target username: xxxxxxxxxxxxxx

Other

  • Type of vector: Local system
  • Detection message: Adaptive Threat Protection module detection
  • Detection Quarantine ID: {867E352D-19E0-45CE-9F8E-3DFA3267E346}

toulousain79 avatar Jul 09 '22 08:07 toulousain79

You could try v0.2.x, which uses a different codebase and might not trigger your AV.

FWIW most AV vendors do not flag wsl-gvproxy.exe v0.3.2 as malicious.

https://www.virustotal.com/gui/file/4cd8c7532b286040b1d7bbe19bb2f79ad56e0c4ec9876eb2448174d0bd1e8fad

sakai135 avatar Jul 14 '22 03:07 sakai135

Hi

Thanks for your work :-)

We use WSL-VPNkit in daily business use to operate WSL 2. We built everything in a custom environment for our internal needs. And we have been using VPNkit for a little over a year. Originally we were getting the binaries from Docker Desktop. I just integrated the latest v2.x version of your repository to not be dependent on Docker Desktop anymore. But in use, it doesn't change anything for us.

Do you think that v3.x will be usable soon with McAfee or other antivirus?

Thank you very much.

Regards,

toulousain79 avatar Jul 18 '22 15:07 toulousain79

Do you think that v3.x will be usable soon with McAfee or other antivirus?

Can you explain in slightly more detail what happens with mcafee? Does it mark the file as quarantaine, or does it prevent local network traffic?

gbraad avatar Aug 17 '22 08:08 gbraad

Closing due to inactivity.

sakai135 avatar Aug 30 '22 02:08 sakai135