v2.6 flagged as malware on Windows

[vladdeSV]

I noticed this on my work computer out of all places; v2.6 [35ee6cb] is flagged as malware by Windows.

From Windows Defender:

Threat detected: Program:Win32/Uwamson.A!ml
Alert level: Medium
Date: 2021-09-16 13:57
Category: Potentially Unwanted Software
Details: This program has potentially unwanted behavior.

[vladdeSV]

v2.5 does not trigger Windows Defender, so I have reverted back to that version.

[jotaen]

Hm, that doesn’t sound good… 🤔 (“Win32/Uwamson.A!ml” seems to be a trojan.)

I’ve quickly tried on Windows 10 with both the v2.5 and v2.6 binaries, and it seemed to work there without issues. But then again, I don’t know too well about all potential security features of Windows, so maybe it’s only a problem with specific security configurations? @vladdeSV is it correct that you only see this on one machine but not on another?

It’s actually odd that this is dependent on the version, because there were no substantial changes between v2.5 and v2.6, especially no new sys-calls but purely functional changes. (Change set: v2.5...v2.6)

[vladdeSV]

Right-clicking the v2.6 binary and selecting "Scan with Microsoft Defender" (on both my home PC and my work PC) gave the warning.

No warnings appeared for the v2.5 version.

Could there possibly be changes with the dependencies, or any of the tools which generated the executable?

[vladdeSV]

(Sorry, forgot to mention)

I am using Windows 10, build 1909 at work, and I believe the same at home. When I get home I will verify this.

[jotaen]

The computer I tried yesterday had Avira installed instead of Defender (apparently you can only have one scanner installed), that’s why I couldn’t reproduce it. I just tried again with Defender, and I also see the “Win32/Uwamson.A!ml” alarm now – however, for both v2.5 and v2.6 🤔.

Some background info about the build: the dependencies haven’t changed in quite a while. The binaries are build on Github in clean and disposable VMs (see here for the build of v2.6, for example). The Windows binary is build in an Ubuntu VM, not in a Windows VM, so the build VM cannot have been infected.

I am pretty sure this is a false positive – the question is just how to convince Defender of this, because it would be cool to get rid of this alarm. One way I found was to submit the file for analysis at Microsoft, but I’m not sure how successful that’ll be, and I probably would need to repeat that process on every release. I might try it anyway…

[vladdeSV]

both v2.5 and v2.6

Huh. That's odd. I scanned v2.5 on my work PC just now, and on my personal PC yesterday, which both gave the result of it being clean.

I might try it anyway…

Let's hope the pattern which is used to identify that type of malware gets tweaked, so further binaries are not misidentified in the future.

[jotaen]

The incorrect malware detection from has now been resolved, with Defender version 1.349.1263.0.

You need to update Defender as described here. I had some troubles resetting the caches, though, to make the existing alert eventually go away.

Even though I only submitted v2.6 for analysis, the alert also went away for v2.5. That’s a hopeful sign for future releases, I nevertheless try to remember to check on the next release.