Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

What hath Bob wrought?

computers / alt.comp.os.windows-10 / Microsoft Defender

SubjectAuthor
* Microsoft DefenderAllanH
+- Microsoft DefenderVanguardLH
+- Microsoft DefenderMr. Man-wai Chang
`- Microsoft DefenderPaul

1
Microsoft Defender

<u6s3bo$2eark$1@dont-email.me>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=72567&group=alt.comp.os.windows-10#72567

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: nospam@unokix.invalid (AllanH)
Newsgroups: alt.comp.os.windows-10
Subject: Microsoft Defender
Date: Tue, 20 Jun 2023 06:42:47 -0500
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <u6s3bo$2eark$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 20 Jun 2023 11:42:48 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="6e44500a7ead4e261823c80481019fe2";
logging-data="2567028"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/o5vLSciE76VNCReOKHWjyA3Ve/JTv60U="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Betterbird/102.12.0
Cancel-Lock: sha1:vvPrpFI8tKYxAbVPv/RVBbW8Njc=
Content-Language: en-US
 by: AllanH - Tue, 20 Jun 2023 11:42 UTC

For all you Microsoft Defender AV lovers ;)

"Microsoft Defender now blocks and removes the file 7zFM.exe (32-bit
x86) from 7-zip 23.01 by some reason.
It reports about Trojan:Win32/Wacatac.B!ml.
I suppose that it's false positive.
If you know any ways to fix that problem with Microsoft Defender, please
write here."

https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/#e950

Re: Microsoft Defender

<tpzi8erx56tl.dlg@v.nguard.lh>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=72571&group=alt.comp.os.windows-10#72571

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!lilly.ping.de!fu-berlin.de!uni-berlin.de!individual.net!not-for-mail
From: V@nguard.LH (VanguardLH)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Microsoft Defender
Date: Tue, 20 Jun 2023 10:03:36 -0500
Organization: Usenet Elder
Lines: 16
Sender: V@nguard.LH
Message-ID: <tpzi8erx56tl.dlg@v.nguard.lh>
References: <u6s3bo$2eark$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Trace: individual.net 6iuTv/rwwIDHC85Bvs6u7gJCW7F2K2MgB2tEMRe60IuLYWBPPO
Keywords: VanguardLH,VLH
Cancel-Lock: sha1:CKpVQwvxH8Eg+6T1Qy5tnsMakwo=
User-Agent: 40tude_Dialog/2.0.15.41
 by: VanguardLH - Tue, 20 Jun 2023 15:03 UTC

AllanH <nospam@unokix.invalid> wrote:

> For all you Microsoft Defender AV lovers ;)
>
> "Microsoft Defender now blocks and removes the file 7zFM.exe (32-bit
> x86) from 7-zip 23.01 by some reason.
> It reports about Trojan:Win32/Wacatac.B!ml.
> I suppose that it's false positive.
> If you know any ways to fix that problem with Microsoft Defender, please
> write here."
>
> https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/#e950

https://www.microsoft.com/en-us/wdsi/filesubmission

You'll need a Microsoft account to submit the report.

Re: Microsoft Defender

<u6sf4u$2fgh5$1@toylet.eternal-september.org>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=72572&group=alt.comp.os.windows-10#72572

  copy link   Newsgroups: alt.comp.os.windows-10 alt.comp.os.windows-11 alt.comp.freeware
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!toylet.eternal-september.org!.POSTED!not-for-mail
From: toylet.toylet@gmail.com (Mr. Man-wai Chang)
Newsgroups: alt.comp.os.windows-10,alt.comp.os.windows-11,alt.comp.freeware
Subject: Re: Microsoft Defender
Date: Tue, 20 Jun 2023 23:03:56 +0800
Organization: A noiseless patient Spider
Lines: 12
Message-ID: <u6sf4u$2fgh5$1@toylet.eternal-september.org>
References: <u6s3bo$2eark$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 20 Jun 2023 15:03:58 -0000 (UTC)
Injection-Info: toylet.eternal-september.org; posting-host="7c151ad54d290ee0ef005af581bbaee3";
logging-data="2605605"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19ik7z0KYFljvySHjraFVPi"
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.0.3
Cancel-Lock: sha1:sq+ImEh3cBwG5N8JV437mvi9FkY=
Content-Language: en-US
In-Reply-To: <u6s3bo$2eark$1@dont-email.me>
 by: Mr. Man-wai Chang - Tue, 20 Jun 2023 15:03 UTC

On 20/6/2023 7:42 pm, AllanH wrote:
> For all you Microsoft Defender AV lovers ;)
>
> "Microsoft Defender now blocks and removes the file 7zFM.exe (32-bit
> x86) from 7-zip 23.01 by some reason.
> It reports about Trojan:Win32/Wacatac.B!ml.
> ....
> https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/#e950

The first respondent should be Microsoft!!! :)

Re: Microsoft Defender

<u6sham$2fnd9$1@dont-email.me>

  copy mid

https://news.novabbs.org/computers/article-flat.php?id=72573&group=alt.comp.os.windows-10#72573

  copy link   Newsgroups: alt.comp.os.windows-10
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: nospam@needed.invalid (Paul)
Newsgroups: alt.comp.os.windows-10
Subject: Re: Microsoft Defender
Date: Tue, 20 Jun 2023 11:41:09 -0400
Organization: A noiseless patient Spider
Lines: 74
Message-ID: <u6sham$2fnd9$1@dont-email.me>
References: <u6s3bo$2eark$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 20 Jun 2023 15:41:10 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="bdafa853170c74321977973d416f6f2f";
logging-data="2612649"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+eYy/xPupo/qkovKP+rbgeg6XlCf4TUP8="
User-Agent: Ratcatcher/2.0.0.25 (Windows/20130802)
Cancel-Lock: sha1:/z11cCB2maSL/jgUg66MNt6TSJw=
In-Reply-To: <u6s3bo$2eark$1@dont-email.me>
Content-Language: en-US
 by: Paul - Tue, 20 Jun 2023 15:41 UTC

On 6/20/2023 7:42 AM, AllanH wrote:
> For all you Microsoft Defender AV lovers ;)
>
> "Microsoft Defender now blocks and removes the file 7zFM.exe (32-bit x86) from 7-zip 23.01 by some reason.
> It reports about Trojan:Win32/Wacatac.B!ml.
> I suppose that it's false positive.
> If you know any ways to fix that problem with Microsoft Defender, please write here."
>
> https://sourceforge.net/p/sevenzip/discussion/45797/thread/3f550826d8/#e950

I tested in a Win10 VM. The labeling of the file, was selected for tagging/bookkeeping
purposes, not because I actually got a hit on it. This is so I can locate this specific
sample, if later I download 2301 again.

Name: 7z2301-x64-wacatac-x64.exe
Size: 1589510 bytes (1552 KiB)
SHA256: 26CB6E9F56333682122FAFE79DBCDFD51E9F47CC7217DCCD29AC6FC33B5598CD

OK, my first mistake was, I downloaded it in my Daily Driver, no hits
there, was not stopped from accessing it. I don't test-install in the
Daily Driver, and use a VM for that (which is still not absolutely safe,
but... whatever).

I neglected to remove the Alternate Streams blocking flag from the file.
If you do Properties on a downloaded file (all downloads), there is a
tick box you can use, to remove the security status ("untrusted, was a download")
from the file. When the file showed up in the VM, Windows seemed to engage
SmartScreen, even though the slider for it was disabled. And SmartScreen
used the piss-weak method of "we haven't seen this executable before".
What a surprise (June 20 release date). I don't think I've seen this
before, so this might be a new feature from Patch Tuesday June 2023.
The test VM was freshly installed and patched, yesterday. Took no
time at all to fire up.

*******

With the blocking flag still in place, when I put that on the VM via
a copy from a share, it got flagged. This is a reputation flag,
where the hash of the file has not been seen enough, for it
to have a reputation. Lots of low-rent AVs use this method.
It helps to scare customers and make them feel protected.

[Picture]

https://i.postimg.cc/bwP5m96m/reputation-analysis-is-worthless.gif

After correcting my handling error, I rolled back the VM and tried again.
All worked fine! :-) No wacatac here.

[Picture]

https://i.postimg.cc/HLkdhgSv/works-OK-Compat-Tel-Runner-was-noisy.gif

Summary: Minor drama, no real problem.

Windows defense systems are not exactly reproducible, so
my test means nothing. There could be a million factors in
software lineup, to trigger this. It's not like patching two
machines "to the same level" guarantees their WinSxS are the same.

After you run a program a couple of times, CompatTelRunner.exe is
invoked. The VM railed on its two cored for 15-20 seconds. MsMpEng
was busy during the time, SearchIndexer, and so on. It was a party
with a two drink limit.

Wacatac ML is a heuristic detection (like, say, tampering),
and the references I can find seem to be mostly false positives.
I'm sure Igor already knows this. Virustotal got one hit (from the fifty
or so scanners), but that's just another one of those reputation flags,
and since it's from a "lesser AV", practice is to ignore those. If one
of the big guns flags a program, that is taken a bit more seriously.

Paul

computers / alt.comp.os.windows-10 / Microsoft Defender

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor