hi
Recently downloaded ART_1.19.3_Win64.exe on my laptop. Did same on desktop, 2 or maybe 3 weeks later. Yesterday Kaspersky quarantined the file on my desktop!
Today, with protection paused, downloaded ART-1.19.3_Win64.exe from bitbucket and uploaded to Kaspersky’s OpenTip facility. Kaspersky claimed that the file contained malicious software, namely ExploitWin32BypassUAC.hdqj, and ExploitWin32BypassUAC.sb, all of which confirms the information in the quarantine notification.
Subsequently uploaded the original copy on my laptop which has not been quarantined, and that was deemed clean.
It should be noted that the copy (clean) has size 70.1MB (73552469 bytes, 73555968 bytes on disk.
The copy (unclean) has size 70.1MB (73529542 bytes, 73535488 bytes on disk).
Am I being paranoid or should one be worried. The detection delay does seem a little odd as though detection has suddenly occurred following the latest definition update, but there is definitely something different between the first file downloaded and later ones. Whilst the installer file is seen as malicious the actual installed application and everything else scans without issue.
Any advice welcome. Would love to see checksums!
Hi @Cumbria,
and thanks for the report! I don’t know much about kaspersky, but:
The files are digitally signed, you can check the accompanying .asc files to see that the installer is the one I produced. This of course doesn’t mean that it is clean, but at least it should tell you who to blame… If the installer has not been tampered with, for sure it does not contain anything malicious on purpose, at least.
Thanks for reply. As someone used to hash values, and 2 minutes running a checksum app, was not sure what exactly a signature file was, did, and how used. Put gpg on my Ubuntu laptop last night but did not get very far! Will try again.
Uploading ART_1.19.3_Win64.exe to Virus Total shows 3 detections of malicious software
Kaspersky ExploitWin32BypassUAC.hdgj
ZoneAlarm ExploitWin32BypassUAC.hdgj
Ikarus Trojan-dropperWin64.Agent
As only 3 out of 60 or so, probably false positive, but worth being aware.
You might see what Virustotal has to say. ISTR some use it for validation.
I’ve not seen any warnings from Windows Defender though.
I’m on Linux, but I don’t have any issues opening the site or downloading the latest windows executable.
The executable also seems to be fine when checking:
For me chrome is the initial block which often you can choose to ignore but no option and then because I am at work our corporate AV which is pretty sensitive also flagged it…
Exe script etc etc get pretty high scrutiny with good reason I guess… it is interesting that a specific trojan is listed…it would be nice to be confident that is false…
I’ll run a virus scan on the VM I used to build the installer when I have the chance. If you are in doubt, please refrain from downloading anything.
I think its something more about certificates again or that sort of issue… I just looked at my downloads folder and I downloaded that file a few days ago on my work PC. So I was able to then. I also scanned it and its fine…
It seems more that on my end here that chrome and or the Corp AV don’t like the connection to the download link all of a sudden…
Yes, VirusTotal shows clear when you enter the URL as you obviously have. But if you actually upload the file itself, VirusTotal gives the 3 AV hits as previously mentioned.
Following analysis by Kaspersky which detailed ExploitWin32BypassUAC, tried to resubmit for more detailed analysis, but repeatedly failed due to “size”.
Still believe it has something to do with recent definition updates. The file had been on PC for a couple of weeks without issue. Now suddenly Kaspersky has decided it is malicious so deletes it. It also intercepts and prevents any new attempt to download it again.
I’ve downloaded the EXE linked on the VirusTotal report page, reported to be clean, on a Linux machine, then uploaded the file, and also got a warning.
MD5 a49f226f1348066debdea764fe0261d6
SHA-1 9a184e9ff8806a789e1ed423179e68bcfd4a8d50
SHA-256 1e19575f971fd416c255cdbd0bb18222f990986f7ec6ddb5a7947c2ae8c31ced
Vhash 0770a6665d5c0d5d151c006016z631z25zbaz1003cz3
Authentihash 9651e28c696086c75a5dacf0c1caec3812c280f6b59fa3b5a28ee46ae967bc60
Imphash 5a594319a0d69dbc452e748bcf05892e
SSDEEP 1572864:soix8qOVR4CZQdxesXaiD4C4OlDf0P7HEEHYP5r:r/fVRKvegaE4C4MDLFP5r
TLSH T140F7336FB255723FC4AB1B3541B786A0587BAE9578178C6A13E0394ECF390211E3F64B
For the clean URL, the following hash is found on the site:
SHA-256: 1e19575f971fd416c255cdbd0bb18222f990986f7ec6ddb5a7947c2ae8c31ced
length: 73529542 bytes
Interestingly, that hash is the same as that of the ‘malicious’ file. The length is also the same as the ‘unclean’ file reported in the opening post.
I regenerated the installer with a newer version of InnoSetup. Now VirusTotal reports 1 threat, by Ikarus. It complains about this: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDropper:Win64/Agent!MSR&ThreatID=2147743258, which Windows Defender claims to be able to detect. I updated also Windows Defender and it says the file is clean…
It’s up to you I suppose to decide whether this is good enough, but as I wrote above in doubt please do not download anything. I can upload the new installer if people think it’s safer; other than that, I’m unsure what else I can do…
All points to a false positive which has come about after a recent update of the virus definitions. As stated, all was fine until the day before yesterday when Kaspersky decided that ART_1.19.3_Win64exe had malicious content, and from that moment on, both my desktop and current laptop refused to store, or download that file. To prove this, I have an old laptop whose Kaspersky definitions are out of date by maybe a month or more, and yesterday, using that laptop, I downloaded ART_1.19.3_Win64.exe and scanned it. Kaspersky reported it as clean.
When one considers how a virus scanner works I suppose false positives are inevitable. It is the price one pays for the scanner to be able to detect new or unknown viruses. But after years of using Kaspersky this is my first, and thus was a little alarming initially.
Still trying to get some info out of Kaspersky support.
Thanks for your interest and prompt reaction.
Update/closure:
Reported detection of malicious content to Kaspersky technical support. Subsequently much discussion, numerous emails, sending screenshots of their OpenTip analysis, a copy of the questionable ART_1.19.3_Win64.exe file itself made available to them via Dropbox. Was then informed that all submitted data and file had been forwarded to their “virus analysis team”.
Today I received the following email from them. Whilst no detail, they confirm that detection was a false positive as one had assumed, but comforting to hear that from them.
Actually quite impressed with Kaspersky, phoned morning Fri 14th, today Mon 17, they email their findings.
Kaspersky email:
“Dear customer,
Thank you for your patience.
We have just received an update from our experts and it was a false detection.
It will be fixed.
Thank you for your help.
Please feel free to let us know should you have further queries. We shall be happy to be of help.
Thank you for contacting Kaspersky Support and have a good day!
Obi || Customer Service Representative”