PingCastle is now flagged from 15 vendors as malicious on virustotal.com

[Borris70]

Hi Netwrix,

our customers don't feel comfortable to let run this tool. The number of flags is increasing

[LoneStarCoder]

Netwrix, please address this issue.

[JoeDibley]

Hi there,

We are actively addressing recent antivirus detections of PingCastle. These are false positives caused by packaging and updater behaviors that resemble malware patterns. To resolve this, we are delivering changes in two stages to minimize disruption.

What We Are Doing

1. Packaging
   • Removing the changelog.txt file from the .zip package, which some AV engines misinterpret.
   • All release notes will now be documented directly on GitHub, with full detailed changelogs published in the Netwrix Community at community.netwrix.com.
2. Auto-Updater
   • Currently, PingCastleAutoUpdater.exe makes two calls on first run (GitHub API and release-assets.githubusercontent.com) to fetch updates, which can trigger AV detections.
   • We are changing this so the updater will only use the GitHub API to check the latest version, compare it with the local Pingcastle.exe, and download only when a new version is available. This streamlines the process and reduces unnecessary network calls.
   • Longer term, we may migrate downloads directly to Netwrix, but first we want to validate these changes.
3. Executable (Future Release)
   • We currently use Fody Costura to merge DLLs into Pingcastle.exe to keep deployment simple. However, malware authors also adopt this method, leading antivirus engines to flag executables packaged in this way.
   • To reduce false positives, we will remove Fody Costura and shift to a more standard file layout in a later release.

Release Plan & Next Steps

Release	Changes	Timing
3.4.2	• Packaging changes (no changelog.txt, GitHub + Netwrix Community for release notes) • Auto-updater improvements (GitHub API only, downloads only when new version available)	Coming weeks
3.5	• Removal of Fody Costura • Requires extraction before use • Pro/Enterprise: Pingcastle.exe moved into subfolder (Task Scheduler updated automatically where possible)	Next minor release after 3.4.2

[barbarajoost]

Here ist the message by Trellix, when it deleted pingcastle.exe: T1204.002 dom\username E:\Tools\PingCastle_3.0.0.4\PingCastleAutoUpdater.exe, which attempted to access E:\Tools\PingCastle_3.0.0.4\PingCastle.exe. The potentially unwanted program named PingCastle was detected and deleted.

Very sad to see that PingCastle is now a commercial product. The evil will win. :(

[An-dir]

Here ist the message by Trellix, when it deleted pingcastle.exe: T1204.002 dom\username E:\Tools\PingCastle_3.0.0.4\PingCastleAutoUpdater.exe, which attempted to access E:\Tools\PingCastle_3.0.0.4\PingCastle.exe. The potentially unwanted program named PingCastle was detected and deleted.

Do you know that PUA (potentially unwanted program) means that you can decide if you would like to have this application?

https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-product-guide-windows/page/GUID-C7987E96-4B6C-48CA-A9E9-3D24D0DC946F.html

Very sad to see that PingCastle is now a commercial product. The evil will win. :( PingCastle is always a PUA, as an attacker might also want to use tools like that. If you want to use it but your Trellix staff won't allow it, then it is unwanted. Otherwise, you should allow it to make it a wanted application.

If a hacking or security application is explicitly identified as a PUA, it is well-known enough to be listed.

PUA means that you have a choice. For some people, any Microsoft application is a PUA, or indeed a UA.

Additionally it is worth mentioning that PingCastle already was a "commercial product" and is still free for the cases wich are in the descriptions. Nothing really changed, It just moved from one to anotherone.

Detection of PUA often relies on hashes or parts of the files, so every new version might be a little bit different and not detected the same way. Old Versions made by Vincent were also marked as "Hackingtool" as you can see here: https://www.virustotal.com/gui/file/c8e54479c7ecaac11fda462bc92d9b167b742531b7243d3d231d5bad918d23db/details

[JoeDibley]

PingCastle version 3.4.2 has now been released with the fixes described which should at least help in a small way.

It does seem that we are now back down to the PUA/Hacktool detection's. These are ones we cannot do anything about. Hopefully our changes in the coming PingCastle future release should make it so this false positive never happens again.

We do have a general statement from our Netwrix security team on PingCastle and these detection's which I have included below.

About Antivirus Detections and PingCastle

PingCastle is a trusted security assessment tool designed to help organizations evaluate the health and security posture of their Active Directory environments.

Some antivirus or endpoint protection solutions may flag PingCastle as “hacktool” or a “potentially unwanted program (PUP)”. This is not because PingCastle is malicious, but because it has dual-use potential: the same in-depth techniques it uses to audit and test security could also be misused by attackers. It does not itself attack AD, but could be used during reconnaissance to enumerate risks that attackers could exploit. Security vendors often classify such advanced administrative and diagnostic tools conservatively to avoid underestimating risk.

It is important to emphasize that:

• PingCastle is safe to use when obtained from the official source.
• It does not exploit or attack Active Directory.
• No malicious payloads or hidden behavior are present in the software.
• The detections occur only because because its ability to enumerate security risks and misconfigurations could, provide information an attacker might misuse.

In short, PingCastle should be viewed in the same category as other professional penetration-testing or red-team tools: safe and valuable in the hands of administrators and security professionals, but flagged by antivirus products due to its capabilities.

I hope this helps clear up some of the concern around this.

[An-dir]

We added Netwrix-signed applications to a trusted list for some employees (not everyone needs it) in our company, so we won't encounter any issues with newer versions of PingCastle.