ExplorerPatcher Trojan Detected | Real or False Positive?

It's the first time I've seen this app as a trojan. Any thoughts? https://www.virustotal.com/gui/file/1c4e1847c722db18d58216c43aa40ad87c8a38aa6196e69d55c0687b8506bf94/details

Sep 11 '24 05:09 czaczaczar

same here. I'll hold off until the dev can confirm this is a false positive.

Sep 11 '24 06:09 swaggerino

https://github.com/valinet/ExplorerPatcher/issues/3228#issuecomment-2094065943

Sep 11 '24 06:09 ItsBluey

Same.

So:

I read the Falsely detected as HackTool:Win64/ExplorerPatcher!MTB #3228issue that deals with the ExplorerPatcher!MTB alarm.
I set WD to ignore this alarm.
But WD throws alarm for Backdoor:Win32/Bladabindi!ml

Sep 11 '24 07:09 hpchavaz

Windows Defender also complains

Sep 11 '24 07:09 perdrix52

Bitdefender also quarantines the update stating: 'The file C:\Users\xxxxxxx\AppData\Roaming\ExplorerPatcher\Update for ExplorerPatcher from https꞉∕∕github.com∕valinet∕ExplorerPatcher∕releases∕latest∕download∕ep_setup.exe has been detected as infected with Trojan.GenericKD.74037883 and Bitdefender could not clean this item. A device restart is required to finalize the cleaning process.'

Sep 11 '24 07:09 JossLadanyi

Seriously? We've been over this. https://github.com/valinet/ExplorerPatcher/issues/3228

Sep 11 '24 08:09 DUser6

Same for me - Bitdefender

Sep 11 '24 08:09 alex-zadara

Confirming issue with MS Defender

Detected: HackTool:Win32/Patcher!MTB Affected items: file: C:\Users\XXXX\AppData\Roaming\ExplorerPatcher\Update for ExplorerPatcher from https꞉∕∕github.com∕valinet∕ExplorerPatcher∕releases∕latest∕download∕ep_setup.exe

Sep 11 '24 08:09 fifowole

Same here...

Sep 11 '24 09:09 DaveJ61

Also not able to update. Windows defender blocks it as saying its a virus / hacktool.

Sep 11 '24 09:09 goedzo

quote from the release page at https://github.com/valinet/ExplorerPatcher/releases/tag/22621.3880.66.5_5094108


> [!WARNING]  

You are downloading a file flagged as malware by Microsoft and very likely by other major antivirus vendors. We believe that this false flag indicates Microsoft's hatred against this software, not because this contains a virus or such.

Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:

`C:\Program Files\ExplorerPatcher`
`%APPDATA%\ExplorerPatcher`
`C:\Windows\dxgi.dll`
`C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy`
`C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy`
For Defender, you can run the following script in PowerShell as an administrator:

```ps
Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

If you are downloading from this page, please temporarily disable real-time protection or save to a folder excluded from antivirus scans.

Issues related to antivirus detections will be closed immediately. Discuss about this in #3228.

Sep 11 '24 09:09 dlnilsson

https://github.com/valinet/ExplorerPatcher/discussions/3122#discussioncomment-10612497

Sep 11 '24 10:09 Menno5

This is new - previous updates worked fine

Sep 11 '24 10:09 perdrix52

This is new - previous updates worked fine

It is indeed new. MS has deemed EP dangerous and conveyed it as such to the AV world. Hence all the sudden commotion.

Sep 11 '24 10:09 Menno5

[!WARNING] You are downloading a file flagged as malware by Microsoft and very likely by other major antivirus vendors. We believe that this false flag indicates Microsoft's hatred against this software, not because this contains a virus or such.

Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:

C:\Program Files\ExplorerPatcher

%APPDATA%\ExplorerPatcher

C:\Windows\dxgi.dll

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy

For Defender, you can run the following script in PowerShell as an administrator:
Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"
If you are downloading from this page, please temporarily disable real-time protection or save to a folder excluded from antivirus scans.

Issues related to antivirus detections will be closed immediately. Discuss about this in #3228.

Read, everyone. I do not want to say that this is not a virus other than the reason statement above. If you are scared then stay on 65.5 (last release without detections) and freeze your OS updates.

It is just the installer that is flagged -- the DLLs that carry the patches are fine.

Sep 11 '24 10:09 Amrsatrio

@Menno5 So 65.5 just got flagged as dangerous today by Kaspersky?

Sep 11 '24 10:09 Amrsatrio

@Menno5 So 65.5 just got flagged as dangerous today by Kaspersky?

Sorry, I was confused here. Kaspersky started whining when trying to update within EP and also when downloading it manually. But that's of course for the 66.5 version. Just downloaded the 65.5 to check and when scanned, Kaspersky has no problems with it.

Sep 11 '24 10:09 Menno5

@hpchavaz Add the folders mentioned into exclusions. You will never have a luck with the "Allow on device" button.

Sep 11 '24 10:09 Amrsatrio

I am making a new PowerShell-based online installer now so that what it does should be more transparent. And most importantly it shouldn't do various of stuff just by opening it which is what a malware usually does.

Sep 11 '24 10:09 Amrsatrio

I ran the above script in PowerShell as an administrator. All is working as expected. Thank you.

Sep 11 '24 10:09 DaveJ61

I am getting this error when trying to run in power shell (as administrator):

Sep 11 '24 11:09 alex-zadara

@alex-zadara 0x800106ba means Defender is not active. You may have another antivirus program active.

Sep 11 '24 11:09 Amrsatrio

Adding "c:\Users\XXuserXX\AppData\Roaming\ExplorerPatcher" in antivirus exclusion solved the issue. Taskbar update and finally Win10 start menu is back again :)

Sep 11 '24 13:09 fifowole

You should report it to MS as a "FALSE POSITIVE" and ask them to justify their classification of it as malware. If you don't complain to them they will continue doing it - if you do there's a chance they will stop

Sep 11 '24 13:09 perdrix52

@perdrix52 Tried, no luck. They did not give me a reason why but instead added it as malware into the "next definition update."

Sep 11 '24 13:09 Amrsatrio

@perdrix52 Tried, no luck. They did not give me a reason why but instead added it into the "next definition update."

Probably that means that it will be marked safe again when the next definition update is received.

Edit: So no, they just flagged it?

Sep 11 '24 13:09 goedzo

Edited my comment.

Sep 11 '24 13:09 Amrsatrio

I got errors trying to run the script:

Add-MpPreference : Operation failed with the following error: 0x%1!x!
At line:1 char:1
+ Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference],
   CimException
    + FullyQualifiedErrorId : HRESULT 0xc0000142,Add-MpPreference

David

Sep 11 '24 13:09 perdrix52

Did you run PowerShell as admin? Can you screenshot the console window fully with the title bar?

Sep 11 '24 13:09 Amrsatrio

Running as Admin seemed to work - 66.5 now installed

Sep 11 '24 13:09 perdrix52