UDPspeeder icon indicating copy to clipboard operation
UDPspeeder copied to clipboard

Published 20 hours ago verified publisher icon wangyu-

Windows Defender report "Trojan:Win32/CryptInject!ml"

Open nebulabox opened this issue 5 years ago • 7 comments

English Only (except for bug reporting). Windows 10, defender report: 2020-09-29 093549

nebulabox avatar Sep 29 '20 01:09 nebulabox

Which release did you download the program from? Could you please post the checksum of the program ? (md5/sha1 or anthing that works)

The windows binary was compile by the i686-w64-mingw32-g++-posix from 18.04 offical source. I am not sure why this happens, but I will take a look.

wangyu- avatar Sep 29 '20 01:09 wangyu-

20200818.0

nebulabox avatar Sep 29 '20 08:09 nebulabox

I need a checksum to makesure your binary is the original one. Or you can just upload your binary.

wangyu- avatar Sep 29 '20 13:09 wangyu-

I confirm this issue. also using 20200818.0.

speederv2.exe MD5 Checksum: 970253A0953585093C4F8B4C749B21EC SHA-1 Checksum: 252C9E36B9FEC7091B17954BA1082F8B451BF4EC SHA-256 Checksum: 18E2DA4FE88CDB7781F3AFCE4DC2421FBC8DA5E9B635996C638A215E7A249578 SHA-512 Checksum: 1CBD60E357FBF9F5F92E4A4B7E7B7304115FB6282716BE653274BD4EAAADB6DB76573750DCDDB634B2702D8283387ED0DC3A5DCD8412D880FF28A66AA948D278

See VirusTotal result: https://www.virustotal.com/gui/file/18e2da4fe88cdb7781f3afce4dc2421fbc8da5e9b635996c638a215e7a249578/detection

Searching, there's a related question on StackExchange: https://security.stackexchange.com/questions/229576/program-compiled-with-mingw32-is-reported-as-infected

ruixingw avatar Sep 29 '20 16:09 ruixingw

I am able to reproduce the issue.

speederv2.exe MD5 Checksum: 970253A0953585093C4F8B4C749B21EC SHA-1 Checksum: 252C9E36B9FEC7091B17954BA1082F8B451BF4EC

I can confirm the binary was compiled by me, not replace by someone else.

Searching, there's a related question on StackExchange: https://security.stackexchange.com/questions/229576/program-compiled-with-mingw32-is-reported-as-infected

Thanks for the link. It not eactly the same, but closely related.

The problem only happens on 20200818.0, not on previous version. And surprisingly the problem is gone after I re-compile it (and everytime I compile it the checksum is different).

I released a re-compiled binary https://github.com/wangyu-/UDPspeeder/releases/tag/20200818.1 , so that anyone got affected can use it as a temporary solution.

I will take a deeper look when I am free. I am not really familiar with how the windows defender works. If anyone have an idea please reply to this issue.

wangyu- avatar Sep 29 '20 22:09 wangyu-

FYI if this happens again and it is a legitimate false positive in the eyes of Windows Defender, you can manually submit your executable to Microsoft for re-analysis here: https://www.microsoft.com/en-us/wdsi/filesubmission You just fill a form, upload the file, say you believe it is a false positive. (It requires a standard free Microsoft account to login to use the form.)

I did it once for one of my own builds of a project that was wrongly flagged and they reanalyzed it. After a few hours they completed their report, acknowledged the false positive and corrected the antivirus definitions that same day. I was very impressed at their efficiency.

darkvertex avatar Jan 06 '21 16:01 darkvertex

@darkvertex 

Although I have never submitted anything to MS, at the moment 20200818.0 is no longer detected as false positive.

I will save the link for future use, thank you for the info.

wangyu- avatar Jan 07 '21 01:01 wangyu-