Defender detects Raccine as a Trojan #88
Comments
|
After submitting the file to Defender as a FP, Defender now determines the file is clean: |
|
I also made a positive mark on VT
… On 1 Nov 2020, at 16:16, John Lambert ***@***.***> wrote:
After submitting the file to Defender as a FP, Defender now determines the file is clean:
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
|
With version 1.3b this issue has returned 😕 |
|
What's the detection name? |
|
In general, submitting a file with a False Positive to Defender's reporting portal will ensure a human analyst looks at it. I would include a link to this github repo (and also this page) as context when reporting: |
|
The problem is the presence of vssadmin strings and other indicators inside the file which will always mark it as a malware in most AV engines. There has to be a way past that, but that is the reason. |
|
We should be able to move all those detections to Yara now. I wonder if that will eliminate these AV detects since they won't be in the executable anymore. |
|
The YARA feature won't be available on x86 platforms. The internal filters at least provide some kind of protection for these users. |
|
Hi, Microsoft Defender is triggering on the 1.3.1b download. I can't actually download the file with Google Chrome, refuses to do so with a "Virus Detected" error. Microsoft Defender is reporting Trojan:Win32/Woreflint.A!cl on Raccine_x86.exe and Trojan:Win32/Woreflint.A!cl on Raccine.zip when the download completes with Mozilla Firefox as the browser. Security Intelligence version: 1.327.683.0 created on 10th November 2020 Extracting the files in the ZIP to the Raccine program folder results in multiple errors and warning on open files and files in use (Raccine is not running) that I can't be confident the files extracted and overwrote correctly. As much as this project has great potential until these issues with false positives with Microsoft Defender can be resolved it's dead in the water. I've uninstalled for now to prevent Defender from having constant fits over the files 🤔 P.S. Windows Powershell now refuses to run once Raccine is uninstalled. The file is present but reports as missing when you runt manually from Explorer. Something in the Uninstall routine is broken, as is my Windows install now 🙁 Right. The IEFO options are NOT removed by the uninstaller. The Uninstaller is broken quite badly. |
|
I don't think that the uninstaller is broken. You just have to run the file |
I think this is preventing it from running at all, because vssadmin delete /all in powershell did not kill the parent process.
The text was updated successfully, but these errors were encountered: