-
Notifications
You must be signed in to change notification settings - Fork 478
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TypeTreeGenerator detected as a virus #479
Comments
I can confirm windows defender detects the file as a trojan Trojan:Win32/Wacatac.B!ml |
I have just submitted a report to Microsoft, hopefully it will be fixed soon. |
It's quite interesting to see how there are more and more scanners that flag it (with 'generic'/'AI' detection). Several of the analysis sandboxes in the virustotal results more or less show what Windows' crash handler |
360 will also give false positives, I have already reported it to 360 |
Seems like WinDef will only flag the 64bit download, but doesn't seem to care about the 32bit one. |
In the implementation of the UABE project viruses |
I seem to be getting other results. All detected by Windows Defender. I was able to download and run the 32 bit download yesterday, but Windows seems to have deleted it and now I can no longer download either. |
Forced Windef to redetect it a few times and tried downloading it in multiple different ways. 64bit archive (just the archive download) tripped every time. I only got The VirusTotal results show that TypeTreeGenerator returns a .NET Framework 4.* CLR version, which is to be expected, but the crash is then especially confusing considering 4.8 has been the expected .NET Framework version for more than 3 years and obviously not every .NET Framework 4.8 program is getting flagged as a trojan. If I had to guess some random thing in the program set off alarm bells in the autodetection system that led it to find and flag the registry key/IP contact behavior but I'm no antimalware engineer. |
Yandex Browser also blocks files immediately after downloading. I have already sent them a message and I will update the post when I get a response. |
Is it just the TypeTreeGenerator.exe that's being flagged? That sounds like a separate program, right? Can you create a zip without this file? |
Not bundling malware? A lot of reputable malware & virus detection vendors seem to disagree: What code is triggering this? https://www.virustotal.com/gui/file/a6b68f9f565bf81819465b3d41e11da4c7ef1e5e5f677ebc66f04f594dd18d87 |
It's a false positive, maybe some of the code matched some other malicious samples that many malware detectors have in their data base. I highly doubt this trusted creator would bundle in malware into software lots of people use. |
A definitive statement requires a definitive explanation for the false positive, otherwise it's presumed malicious for safety reasons. Moreso when the majority of vendors flag it. That said, please backup the claim with an explanation of the mode that causes the false positive, and even better how it can be resolved. I'm not claiming the dev is intentionally bundling malicious code, but it's presumed the binary is malicious until proven otherwise.
Is not that. "I don't think someone would bundle malware" is not what a security stance makes. When it's proven it's not, then it's not. |
If it was malware why is it still available for download? It's been up for nearly 4 months now, multiple people are sure to report to github staff |
It is open source, feel free to audit it and build it yourself. |
Since another topic was marked a duplicate of this, I'll repeat what I said there: First, since the issue is in just this one (non-critical) file, there should be a release bundle/option with the file removed. It's only needed for C# disassembly, and from what I gather, it doesn't work with IL2CPP games anyway. I've successfully used UABE with the file deleted, and honestly think it should be left as an option only for those who absolutely need it. Second, I've built the file from source, and it triggered 4 detections (behavior check was clean). That's way less than what the official build is triggering. I don't know if the vendors just gradually copy from each other after it triggered a behavior flag, or if there's something in the official build that triggers a detection. And to all the people who claim it's a false positive without evidence: Remember, that just because a source is safe, doesn't mean the build is clean. Not unless you have a reproducible build process, and actually ran it on an independent machine. The fact that my own build did not trigger a fifth of the same number of detections IS something worth investigating. A build environment can be compromised as well. |
@dyaricoderman Hmm, 9 on yours vs 4 on mine. I triggered "Google", though, which is not on your list. My build was a bit unusual, though. I'm not a fan of CMake, so I improvised a csproj by copying and editing from another project I'm working on, then built it using MSBuild 12. I also downloaded Mono.Cecil.dlll and Mono.Cecil.Rocks.dll from the official release, to use as linked assemblies. Also, the ToolsVersion and TargetFrameworkVersion in my csproj are set to 4.0, so that could also be a factor. I am noticing your triggers are things like "Ai", "Generic" and "Unsafe", suggesting higher likelihood of overeager heuristics. |
i also tried building with the official mono.cecil dlls but they gave me the same result |
Can't you just buy a certificate? 🤓 |
i have no idea why this only just happened now, but uabe 3.0's version of typetreegenerator was flagged as a false positive by windows defender
dunno why it thinks it's a virus, i literally have used it a few days ago when uabe 3.0 got released
The text was updated successfully, but these errors were encountered: