22621.3007.63.2 and 22621.3007.63.3 flagged by Defender as Virus or potentially unwanted software #2873
Comments
|
Same for me, Windows 10 Pro 22H2. Its identified as HackTool:Win64/Patcher!MSR So this really sounds like Microsoft does not like the tool that makes Windows 11 better and wants its users to suffer. I've restored the file and whitelisted the path from defender. |
|
Same here with Windows 11 23H2
|
|
Same here |
|
I have the same issue on my computer too
|
|
Same issue here.
|
|
@valinet what is the source of this issue exactly |
|
Same issue in Windows 11 Home |
|
Released 63.3. If this happens again I'll keep doing this. |
Confirm that updating to 63.3 doesn't trigger any Windows Security alerts. |
|
Tried to download version 63.3. Unfortunately, it still triggers the security warning. |
|
This is still happening on windows 11 Pro with the latest release.
|
|
Unfortunately, it’s still happening in 63.3.
TheAncient
From: Amr Satrio ***@***.***>
Sent: February 20, 2024 20:02
To: valinet/ExplorerPatcher ***@***.***>
Cc: TheAncient2 ***@***.***>; Author ***@***.***>
Subject: Re: [valinet/ExplorerPatcher] 2261.3007.63.2 flagged by Defender as Virus or potentially unwanted software (Issue #2873)
Released 63.3. If this happens again I'll keep doing this.
—
Reply to this email directly, view it on GitHub <#2873 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/A7NZN6TQR4X2DOC2RZI2A6TYUVPSVAVCNFSM6AAAAABDRTJ5YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJVG44DSMRWGE> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/A7NZN6WZDZDOTSVGBLL6OX3YUVPSVA5CNFSM6AAAAABDRTJ5YWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTUSL442.gif> Message ID: ***@***.*** ***@***.***> >
|
|
Unfortunately, it’s still happening in 63.3.
TheAncient
From: griffinator76 ***@***.***>
Sent: February 20, 2024 20:15
To: valinet/ExplorerPatcher ***@***.***>
Cc: TheAncient2 ***@***.***>; Author ***@***.***>
Subject: Re: [valinet/ExplorerPatcher] 2261.3007.63.2 flagged by Defender as Virus or potentially unwanted software (Issue #2873)
Released 63.3. If this happens again I'll keep doing this.
Confirm that updating to 63.3 doesn't trigger any Windows Security alerts.
—
Reply to this email directly, view it on GitHub <#2873 (comment)> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/A7NZN6WUJD7OD5RXM2LDM6LYUVRBPAVCNFSM6AAAAABDRTJ5YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJVG44TSOBSHE> .
You are receiving this because you authored the thread. <https://github.com/notifications/beacon/A7NZN6WM4LL3M7CJYW4PMTLYUVRBPA5CNFSM6AAAAABDRTJ5YWWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTTUSMRRK.gif> Message ID: ***@***.*** ***@***.***> >
|
Amrsatrio
changed the title
|
I suggest to report the false positives to Microsoft: https://www.microsoft.com/en-us/wdsi/filesubmission?persona=HomeUser |
|
Ran a virus test on the new update file and no issues were found. MD5 checksum for update executable: 0F0D942625A01BA2BFA7F4FF6374F03B |
|
It is not a false positive... |
|
@y2k04 I've said like 999 times, there are no stealer code present in EP. Everyone can check the code that gets into ep_setup.exe distributed through this GitHub. That is a false positive. Someone else other than me should vouch for this though, honestly saying. |
|
Then why does Triage report a 10/10? |
|
Still hella sus |
|
I am very sure because of that false Lumma stealer detection. The "Downloads MZ/PE" file is this one: ep_setup.exe doesn't do any more of exe/dll downloads. Previously it was used to download specific versions of StartTileData.dll and such (those are distributed with Windows) but now not any more. This one is for adding its uninstall entry in installed apps, nothing harmful: This one is used for restarting explorer.exe as part of its installation/update process: You do you. If you don't trust this then don't spread misinformation unless you can prove it that the code contains a stealer. This is an open source software, where the build process happens in GitHub's servers. Go check the source code and the build scripts yourself, or open IDA and find the stealer code and post it here if you believe that there's hidden code slipped in. If this software were closed source you could've said that. Swear to god I am in good faith developing this software, because I myself like the old taskbar a lot and don't want to miss it or see it being broken. If you have proven that the code contains a stealer, tell me where the code is at and I will do my best to remove them. I totally do not want EP's name being contaminated just due to this. |
|
Thanks for developing this software, I like the old taskbar a lot also. Following this issue and hopefully someone will step up and confirm that it is a false positive. |
|
I submitted here for review: https://www.microsoft.com/en-us/wdsi/filesubmission/ which is where all false positive reports should go. |
|
@Amrsatrio You're wasting your time imo. You can do so much to explain things rationally. Some still won't understand or even try to understand, by exploring the phenomenon themselves. They just limit themselves to believing some superfluous fact without researching what goes into that. Just ignore them, honestly, long term, it only generates unneeded stress for you and wastes your precious time dealing with the non-sense. To everyone: once and for all, we do not have any intention of doing anything bad. Even if we had, why go though all the trouble of making an app like ExplorerPatcher when we could push some malware game in Google Play and that would have in a week the number of downloads this has gotten in years. It's not like it hasn't happened in the past. Whatever bugs there are in the program, you can be certain 100% they are unintentional and either documented and neutered when discovered, either documented and fixed. That's it. To people believing and fueling these conspiracies and non-sensical posts, I challenge you to show me how you ensured the supply chain elsewhere in your life. Do you verify from transistor level to logical level everything that you use on a day by day basis? Do you ask the same you ask from EP to the others? Even then, EP has done more than the industry standard anyway: the code is fully open source, documented, so nothing stops you from checking out the tree, compiling a version yourself, disassembling that and then comparing the distributed executables with whatever you produced. I guarantee you functionally they are identical, nothing more, nothing less. Do this analysis, find something bad, and then come and open a topic like this. There are no blobs at the moment distributed with the program, you can recreate the binaries yourself from the source posted. You can also inspect the entirety of the source for "bad" things, as I said, I guarantee that, besides human mistakes aka bugs, you won't find anything malicious. The distributed binaries are not compiled on my PC or Amr's, but on GitHub's public infrastructure, on clean runners hosted in their cloud, all so that the build process has the least chance of getting compromised by an actor and that injecting unwanted payloads in the final executable. We do not touch those executables, they are compiled automatically every time new commits are pushed to the master branch. From now on, threads on this matter won't be allowed. This is not a place to discuss "EP flagged by whatever AV engine". Things like "how can we improve EP's software supply chain security" or "what measures has the team taken to ensure distributed artifacts are the actual product of the source code posted" and so on of course are more than welcome and encouraged, things where we explain and build upon knowledge as well, but not where we waste time explaining for the millionth time how a modern AV engine works, what is a false positive, things explained a million times in the past. Please refrain from replying if whatever you reply doesn't add value to the information that's already in this thread. Thank you. |
|
|
63.3 is OK for me, it doesn't trigger Windows11 Security alert. |
|
Actually the issue is that this is common when a The error message is varying too:
|
|
@ateric I closed the issue a couple of days ago as currently things are working on my machines (#2873 (comment)) |
Of course, I'm not forced to install any updates, but when a pop-up appears that says an update is available, my instinctive reaction is to respond. Regarding money, I don't know you at all. Even if that were the case, I wouldn't turn down €100,000,000, whoever (Vladimir) offered me. To be honest, I would also have agreed to €50,000... And so would, of course, you... have you |
|
@ateric Let's try this again:
Regarding money, I don't have the faintest idea what you are talking about... |
|
They're basically saying you conspired with Russia (Vladimir Putin) in exchange for money to infect computers with spy/malware. Yeah right, get your head out of the conspiracies @ateric this is a relatively small project used by nerds and it's open source with lots of transparency. This isn't the last target for something like that, but it's certainly not the first and it's owned by 2 people so you'd have to bribe both. Just shut up the likelihood is basically astronomical. |
|
@RikuTheKiller @ateric I am a USER of this software. I am NOT an author of this software. There is nothing that Putin would want to bribe ME for. The problem was caused by Microsoft Defender falsely detecting ExplorerPatcher as a virus. I was a victim of this problem and I reported, that this was happening to me. Putin does not have to bribe me to report that Microsoft screwed up (yet again). I have had enough run-ins with Microsoft to report their screw-ups for free - no payment required. |
|
I suggest this issue be locked. |
Agreed. This is getting out of hand. |
|
@pyrates999 @y2k04 |
That is because I pulled back 63.2 and 63.3 from being the latest release. I made it back to 62.2 which is the last known good. The real question is: what happens if I make 63.4 a release? Will MS flag it again? Should I do it to find out? Thing is it does not query all running processes anymore. If that gets flagged again then it means the setup codebase will need a reset to 62.2. Ugh. I do not want to lock this thread as well because doing so might look like we're denying the fact that we have a virus without chances for the users to further speak or confirm about it, though. |
|
I would build it myself and submit it to windows defender and scan it before you do a release. |
|
Won't do anything I presume. It began with two detections, maybe with only Defender detecting as Wacatac or Wacapew but then it goes away naturally as it gets spread. It's very common for exes that are not widely spread yet. Speaking about submitting to MSR, that thing takes a long while to respond. It's been four days without a response at least for me so don't think it would make a difference. Source: I've done that four days ago, and once again just now: https://www.virustotal.com/gui/file-analysis/ZDY3ODBkM2I4ZDI5YzFhZTU1ZmNjNjIzNmNhODMzZWE6MTcwODgzNDA1OQ== |
|
I appreciate the work you do :) |
|
I still believe that this is related to behavioral heuristics that are invoked manually by humans. 63.1, 63.2, and 63.3 all of them queries all running processes. Combined with the other things ep_setup does, I believe that would cause MS into hating this thing. 63.4 doesn't do that anymore as I said. |
|
@Amrsatrio |
Can you show the screen shot of defender blocking them? What does defender identify them as? |
|
@pyrates999 |
|
Those are chrome warnings, they are not coming from windows defender. I get them too. It happens when a file hasn't been downloaded much and is less then 24 hours old. |
|
Microsoft Analyst response to my submission:
As of this comment, 63.4 is not detected by Windows Defender, but 63.3 is flagged as "HackTool:Win64/Patcher!MTB" Definition: 1.405.631.0 |
|
Yep I got the same. Probably we need to dispute about this now, or try releasing a new update based on 62.2. |
|
63.4 not detected on my Win11 |
|
Did my part and submitted v.63.3's file as a false-positive detection for malware. Don't know if Microsoft will move on it, but at least it's one more report. |
|
It's happening on an older version without the latest updates too. |
|
Also got this for the latest update. Freaked me out a bit because other updates have gone smoothly. Sent a false positive report to Windows Defender for what its worth. |
|
@catnip-king By submitting it to Microsoft you are basically converting the detection to HackTool:Win64/Patcher. |
and others
Defender will not allow me to install the latest version of Explorer Patcher: It thinks it's a Virus
(Running Win 11 - 22H1 (OS Build 22621.3155)
The text was updated successfully, but these errors were encountered: