mozregression-gui.exe detected as Trojan:Win32/Zpevdo.B
Categories
(Testing :: mozregression, defect)
Tracking
(Not tracked)
People
(Reporter: valflaux, Unassigned)
References
Details
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Steps to reproduce:
Download mozregression for Windows from github : https://github.com/mozilla/mozregression/releases/download/4.0.6/mozregression-gui.exe
Scan the file with Windows Defender.
Actual results:
The file is detected as Trojan:Win32/Zpevdo.B
It's Trojan:Win32/Zpevdo.A and Trojan:Win32/Zpevdo.B for me.
Checksum for my mozregression-gui.exe
from 4.0.6 release:
SHA1: 65533AEC46FDEC653159E362C737A788DA64B4EA
SHA256: 2720126B06D83C352FFFF55D9F0FCE7E09D4141E3ABD8AC1D12900F38032E282
I used this version yesterday and Windows Security did not prompt for any virus alerts.
Note:
I opened the program (4.0.6) and it still prompted for an update to 4.0.6. I checked the version in about
and it said it's version 4.0.7.dev0+[a bunch of letters].
There's no virus alerts for 4.0.5.
(In reply to Fanolian from comment #1)
It's Trojan:Win32/Zpevdo.A and Trojan:Win32/Zpevdo.B for me.
Antivirus definition is Version 1.319.26.0.
Description of this update according to Microsoft:
The latest security intelligence update is:
Version: 1.319.26.0
Engine Version: 1.1.17200.2
Platform Version: 4.18.2005.5
Released: 6/23/2020 7:30:42 AM
More info about the update can be found at https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes
Comment 3•4 years ago
|
||
Unfortunately mozregression has some elements (as an executable program) indistinguishable from a virus; this is essentially the same issue as this one:
https://github.com/spesmilo/electrum/issues/4986#issuecomment-451385953
Rest assured that the rights to upload executables and packages to github and pypi is strictly controlled, and that mozregression itself should be safe as any piece of open source software. The real solution to this is bug 1366570, but I don't have the time/resources to work on that myself.
I'll leave this open for now, since it is a "real" problem if not one that is easily solved by itself.
Comment 4•4 years ago
|
||
Looks like it may be possible to tell microsoft that we are not a virus:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide
Comment 5•4 years ago
|
||
We managed to tell Microsoft that geckodriver was not a virus, prior to it being signed, so there is evidence that can actually work :)
Comment 6•4 years ago
|
||
(In reply to William Lachance (:wlach) (use needinfo!) from comment #4)
Looks like it may be possible to tell microsoft that we are not a virus:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide
Gave this a try. According to their portal, "no malware was detected". <Shrug>. I'm going to follow up (just a little) on how possible it might be to create signed copies of mozregression, which would address this issue.
Comment 7•4 years ago
|
||
:whimboo did the signing stuff for geckodriver; we moved it in-tree to use the Mozilla signing key. idk if that's a reasonable thing to do with mozregression, but perhaps?
Comment 8•4 years ago
|
||
(In reply to James Graham [:jgraham] from comment #7)
:whimboo did the signing stuff for geckodriver; we moved it in-tree to use the Mozilla signing key. idk if that's a reasonable thing to do with mozregression, but perhaps?
Moving mozregression in-tree is probably a non-starter (at least for me), but maybe using codesigning might be possible if we moved mozregression's CI to taskcluster? I asked catlee about this in bug 1366570
Comment 9•4 years ago
|
||
The severity field is not set for this bug.
:wlach, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 10•4 years ago
|
||
The severity field is not set for this bug.
:wlach, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 11•4 years ago
|
||
The severity field is not set for this bug.
:wlach, could you have a look please?
For more information, please visit auto_nag documentation.
Updated•4 years ago
|
Comment 12•4 years ago
|
||
Upgraded to pyinstaller 4.0 for 4.0.13, which seems to no longer be detected as a virus (probably because it has a slightly different signature). Of course this is not a long term fix.
Comment 13•4 years ago
|
||
Mozregression is being picked up as malware again. I tried to install it on Windows a few days ago and was unsuccessful in getting it to run. A user is also reporting it getting detected as a virus in bug 1668686.
Comment 14•4 years ago
|
||
It seems that the mozregression-gui.exe file is deleted right after download if using Cisco AMP 7.2.11.11804 antivirus and the file is displayed as a trojan virus.
Comment 15•4 years ago
|
||
As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?
https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts
Comment 16•4 years ago
|
||
(In reply to William Lachance (:wlach) (use needinfo!) from comment #15)
As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?
https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts
I was able to download the file and to install it. It seems that your fix is the solution.
Note that I tested this only with Cisco AMP 7.2.11.11804 antivirus.
Comment 17•4 years ago
|
||
(In reply to Mihai Boldan, QA [:mboldan] from comment #16)
(In reply to William Lachance (:wlach) (use needinfo!) from comment #15)
As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?
https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts
I was able to download the file and to install it. It seems that your fix is the solution.
Note that I tested this only with Cisco AMP 7.2.11.11804 antivirus.
Just released 4.0.15 with this change:
https://github.com/mozilla/mozregression/releases/tag/4.0.15
Comment 18•4 years ago
|
||
I'm seeing it flagged by Defender as Trojan:Win32/Wacatac.G!ml in 4.0.15.
Comment 19•4 years ago
|
||
I managed to investigate more and here is what I encountered:
- I confirm that the 4.0.15 build can't be downloaded if Windows Defender is available, but if I use the try build from Comment 15, things are working just fine(build can be downloaded and installed).
- Also with AVG antivirus there are some problems. Build is downloaded, but mozregression can't be installed if I use the 4.0.15 build.
- Again, with AVG antivirus, the mozregression can be downloaded from the link displayed in Comment 15 and the app can be installed, but a problem occurs when trying to open mozregression (mozregression-gui.exe). The executable file is automated deleted by the antivirus.
- With Kaspersky antivirus it seems that the file can be downloaded and installed without any problems.
Note that for testing these versions of antiviruses were used:
- Kaspersky 11.0.1.90
- AVG 20.8.3147
- Windows Defender 4.18.2009.7
Wiliam, please let me know if I can help any further with the investigation.
Comment 20•4 years ago
|
||
4.0.15 is triggering antivirus for me too (I'm running AVG 20.8.3147 but Windows Defender is triggering too even though it's nominally off). The installer triggered Windows Defender but not AVG so I allowed the installation to proceed. However, the primary executable triggered AVG. In fact, I had to turn off anti-virus temporarily even just to upload the executable to VirusTotal (adding an exception for this file was not enough to allow upload).
Passing the unpacked executable to VirusTotal shows 19 engines detecting a problem with moderate confidence including mainstream AV products (AVG, Avira, BitDefender, Microsoft, Symantec), see https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/detection.
Looking at the behaviour in the antivirus sandbox (https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/behavior) shows enough suspicious behaviour (system registry keys written, system registry keys deleted, windows services terminated) that I am not prepared to run the executable (a Windows expert may be able to say these are all harmless, but they're not obviously clean).
In contrast 0.9.46 triggers just three obscure AV engines at low confidence, https://www.virustotal.com/gui/file/48682733dd4aaca242165e520ce7ba67ca9743fa07274ab49046c5406764f805/detection, and shows much more innocuous sandbox behaviour.
I'm going to try my bisection with 0.9.46 which doesn't have any AV issues.
Comment 21•4 years ago
|
||
Ok, it sounds like compressing with upx isn't really a solution...
(In reply to Steven Singer from comment #20)
...
Looking at the behaviour in the antivirus sandbox (https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/behavior) shows enough suspicious behaviour (system registry keys written, system registry keys deleted, windows services terminated) that I am not prepared to run the executable (a Windows expert may be able to say these are all harmless, but they're not obviously clean).
That is indeed the file (the byte size matches what was produced by CI: https://ci.appveyor.com/project/wlach/mozregression/branch/master)
I suspect those are just default registry keys that would be set incidentally when an executable is run, though I don't blame you for being suspicious!
In contrast 0.9.46 triggers just three obscure AV engines at low confidence, https://www.virustotal.com/gui/file/48682733dd4aaca242165e520ce7ba67ca9743fa07274ab49046c5406764f805/detection, and shows much more innocuous sandbox behaviour.
0.9.46 was built using cxFreeze (https://cx-freeze.readthedocs.io/en/latest/) which is more obscure (and thus probably less virus/trojans created with it)
Talking with :glob, it sounds like what we might want to try is submit the .exe file to malware vendors to let them know it's harmless (signing, which I thought was the solution before might help with some, but not others).
Comment 22•4 years ago
|
||
Adding compression may trick some basic antiviruses but better antiviruses get "extra paranoid" once an .exe file is compressed. I wonder if you can ship a chocolatey package installing all the dependencies and ship plain Python files. https://chocolatey.org
Comment 23•4 years ago
|
||
This is still a problem with mozregression 4.0.15. Firefox and Windows Defender block the download of the mozregression installer. If I work around the download block and run the installer, Windows Defender then blocks the installed mozregression-gui.exe in Program Files.
Windows Defender classifies mozregression-gui.exe as:
Trojan:Win32/CryptInject!ml
Trojan:Win32/Ymacco.AAA7
Trojan:Win32/Zpevdo.B
Comment 24•4 years ago
|
||
4.0.15 SHA-256:
E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
Comment 25•4 years ago
|
||
Still hits 4.0.15 on W10 for me as well (will attach screenshot).
Comment 26•4 years ago
|
||
mozregression Gui version 4.0.15
Windows version 20H2 19042.746
Antimalware Client Version: 4.18.2011.6
Engine Version: 1.1.17700.4
Antivirus Version: 1.329.3163.0
Antispyware Version: 1.329.3163.0
Comment 27•4 years ago
|
||
I tried to download the latest version 4.0.15 of mozregression-gui.exe for Windows as released on 21 Oct 2020 in Firefox and it is detected as a virus by Firefox itself... I do use Windows Defender as AV...
I've submitted the most recent installer and gui executable (post install) to Microsoft for analysis as false positives (via https://www.microsoft.com/en-us/wdsi/filesubmission). I'll report back if I hear anything.
(In reply to Richard Leger from comment #27)
Created attachment 9200950 [details]
mozregression-gui-exe-contains-virus.pngI tried to download the latest version 4.0.15 of mozregression-gui.exe for Windows as released on 21 Oct 2020 in Firefox and it is detected as a virus by Firefox itself... I do use Windows Defender as AV...
Looks like a false positive due to the safe browsing lists used for detection[0]. I'm not familiar with this, but have attempted to submit a false positive report. If we keep seeing this behaviour I'll see if I can prod some more.
[0] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work
(In reply to Bryce Seager van Dyk (:bryce) from comment #28)
I've submitted the most recent installer and gui executable (post install) to Microsoft for analysis as false positives (via https://www.microsoft.com/en-us/wdsi/filesubmission). I'll report back if I hear anything.
Microsoft have followed up for both cases and state the detection of these cases should be removed. I'm not sure how fast the definitions roll out, but will keep an eye out to see if these stop getting picked up in the near future.
Edit: Part of the instructions from Microsoft include the following to clear my cached entries
- Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
- Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
- Run "MpCmdRun.exe -SignatureUpdate"
I was still having issues until I did this, and now the files no longer appear to be picked up. My hope is that this happens without prompting at some point and the above steps just speed up the process.
Comment 31•4 years ago
|
||
mozregression 4.0.15
I get the error from Firefox Nightly.
(In reply to erosman from comment #31)
Created attachment 9206942 [details]
mozregression.jpgmozregression 4.0.15
I get the error from Firefox Nightly.
That's Google's safe browsing list giving a false positive. I've submitted a request to them, but the situation is pretty opaque, and since I don't own github (if you own the site, Google have some more tooling available) it's hard to know if any progress has been made.
William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.
Comment 33•4 years ago
|
||
(In reply to Bryce Seager van Dyk (:bryce) from comment #32)
William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.
What do you think about doing a new release? There have been some minor improvements since 4.0.15. I don't know how much trouble it is to resubmit to Windows defender though.
That sounds good too. It wasn't a major hassle to submit to Microsoft, I'm happy to do it again if needed.
Comment 35•4 years ago
|
||
(In reply to Bryce Seager van Dyk (:bryce) from comment #32)
(In reply to erosman from comment #31)
mozregression 4.0.15
I get the error from Firefox Nightly.
That's Google's safe browsing list giving a false positive. I've submitted a request to them, but the situation is pretty opaque, and since I don't own github (if you own the site, Google have some more tooling available) it's hard to know if any progress has been made.
How is "Google safe browsing list" related to Firefox? Is that a specific AMO addon?
(In reply to Dan from comment #35)
How is "Google safe browsing list" related to Firefox? Is that a specific AMO addon?
It's part of the browser, no addon required. See https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#w_how-does-phishing-and-malware-protection-work-in-firefox
Comment 37•4 years ago
|
||
It appears that the next version of pyinstaller has some fixes which should make it less likely to be picked up as a virus:
https://github.com/pyinstaller/pyinstaller/commit/93285ece5a02932c6dac8f018bf107e7618d7d3c
I'll try to spin a new version soon regardless. Unfortunately there are some other things I need to fix first (e.g. bug 1686039)
Comment 38•4 years ago
|
||
(In reply to Bryce Seager van Dyk (:bryce) from comment #36)
William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.
Hey Bryce, sorry for the delay. A new version of mozregression is available here: https://github.com/mozilla/mozregression/releases/tag/4.0.16
No problem and thanks!
I've just run the new installer on my Windows box and it seems happy -- no issues from Windows Defender. I'll keep an eye on it, and will submit to MS if I run into any issues or if folks report anything here.
Comment 40•4 years ago
|
||
Windows Defender giving me alerts for 4.0.16
Program:Win32/Ymacco.AA74
file: C:\Program Files (x86)\mozregression-gui\mozregression-gui.exe
file: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
startup: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
I noticed they started flagging the file after some delay (sadly, the safe browsing list seems to have flagged it too, so downloading the file causes issues too). I submitted the file to MS, but they seem to have been slow to action it, and my case went unresolved for 30 days after which it can no longer be queried. So I've resubmitted the file.
Comment 42•4 years ago
|
||
Will, if it's low overhead, could a new -pre version be built to help QA - they are having issues with the older (0.9x?) versions on new Windows 10 versions. Thank you.
Comment 43•4 years ago
|
||
Comment 44•4 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #42)
Will, if it's low overhead, could a new -pre version be built to help QA - they are having issues with the older (0.9x?) versions on new Windows 10 versions. Thank you.
:aryx, could you or someone else test this build:
https://ci.appveyor.com/project/wlach/mozregression/builds/39038592/artifacts
It should have the newer version of pyinstaller which will hopefully trigger less false positives.
Comment 45•4 years ago
|
||
Thanks for the quick turnaround, the program launches and bisecting works. A scan with Antivir didn't report issues. Shall the exe or installer be uploaded to virustotal?
Comment 46•4 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #45)
Thanks for the quick turnaround, the program launches and bisecting works. A scan with Antivir didn't report issues. Shall the exe or installer be uploaded to virustotal?
Ideally both, but let me cut a new release first. Will do this tomorrow
Comment 47•4 years ago
|
||
Just released 4.0.17 which might be less susceptible to being picked up as a virus due to https://github.com/mozilla/mozregression/pull/857:
https://github.com/mozilla/mozregression/releases/tag/4.0.17
If people want to submit this one to the various anti-virus places, I would appreciate.
If people want to submit this one to the various anti-virus places, I would appreciate.
Can do for Microsoft. I think my resubmission of the 4.0.16 executable has now been approved by them. Will keep an eye on 4.0.17 to see if it starts getting flagged. If anyone notices it being flagged and I haven't made a comment about submitting it, feel free to NI me to prompt me to do so.
Comment 49•4 years ago
|
||
virustotal.com reports the following suites as flagging the installer:
SecureAge APEX
Malicious
Cybereason
Malicious.bd81cf
FireEye
Generic.mg.29590d0714f37d0c
GData
Win32.Trojan.PSE.IHZW2J
Zillya
Trojan.Agent.Script.1086024
Highlighted calls are:
GetTickCount
GetSystemMetrics
SetFileTime
13/69 AV suites flag the mozregression-gui.exe.
Comment 50•3 years ago
|
||
¡Hola Bryce!
Hope these lines find you well.
https://github.com/mozilla/mozregression/releases/download/4.0.17/mozregression-gui.exe is still flagged as https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fZpevdo.B&threatid=2147729093
Can you please submit it?
¡Gracias!
Alex
(In reply to alex_mayorga from comment #50)
¡Hola Bryce!
Hope these lines find you well.
https://github.com/mozilla/mozregression/releases/download/4.0.17/mozregression-gui.exe is still flagged as https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fZpevdo.B&threatid=2147729093
Can you please submit it?
¡Gracias!
Alex
Thank you for the heads up. I have submitted the file. I'll report back if I hear from Microsoft.
I see the same issue locally, but the identification of the file appears unstable -- I can get different results from different scans of it. Hopefully the submission takes care of all of them.
Thank you for the heads up. I have submitted the file. I'll report back if I hear from Microsoft.
Submission has come back and file should be cleared. Local tests are okay -- installer runs without issue, installed mozregression-gui runs without issue. Feel free to NI me if issues crop up.
Comment 53•3 years ago
|
||
Windows Defender giving me alerts for mozregression release 4.0.18
Identified Program:Win32/Zpevdo.B
effected files:
file: C:\Program Files (x86)\mozregression-gui\mozregression-gui.exe
file: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
startup: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
I'm seeing the same described in comment #53, does it mean 4.0.18 should also be submitted to Microsoft?
(In reply to Kagami :saschanaz from comment #54)
I'm seeing the same described in comment #53, does it mean 4.0.18 should also be submitted to Microsoft?
Sounds like it should. I've been meaning to, but have been a bit bogged down. I'll try and look at getting it done early next week. Holding NI.
Submitted the exe from 4.0.18. Will update should I hear back.
(In reply to Bryce Seager van Dyk (:bryce) - away until 2021.08.02 from comment #56)
Submitted the exe from 4.0.18. Will update should I hear back.
4.0.18 binary should now be clear for Windows defender rules.
Description
•