URGENT: Microsoft Defender detects malware in PingCastle version 3.5.1.31

[cerede2000]

Hello,
The new version PingCastle 3.5.1.31 has just been released, but it appears to cause a major security issue.

Microsoft Defender detects the presence of malware inside this release.

This is a critical problem because PingCastle is commonly used in enterprise and security-sensitive environments, and this detection prevents the tool from being safely downloaded, deployed, or executed.

Could you please urgently investigate this release and confirm whether:
This is a false positive from Microsoft Defender.
The published binary/package has been compromised.

A new clean release will be provided.

Hashes or signatures can be published to validate the integrity of the release.
For security reasons, we cannot deploy or use this version until the situation is clarified.

Thank you for treating this as urgent.
Best regards.

[JoeDibley]

Hi there,
I have one of our developers looking at this but generally speaking we often get false positives, especially on new releases until Microsoft catches up after a week or two.

We have some information here from previous times this has happened: https://docs.netwrix.com/docs/pingcastle/3_5#pingcastle-antivirus-detections

We will look to see if we can start adding hashes to releases in the future.

[cerede2000]

I completely understand. However, my company holds an Auditor license, and in a secured environment like ours, with EDR, XDR, antivirus, and highly sensitive monitoring, I cannot use the current version as-is when it triggers alerts in the SOC.

[JoeDibley]

Yep, I totally get it. Honestly, all versions of PingCastle should trigger in an environment like that as you wouldn't want any user running it. As I said, we have a developer looking into to it.

As you have the auditor license you should be able to go to the Netwrix Customer Portal and from there you should be able to download the zip and hashes for confirmation.

[An-dir]

Did you try to allow the signature? https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates

[RichardHNetwrix]

Following up on the investigation into this detection.

The detection Trojan:Win32/Tecabans.STV!cl (visible in the screenshot) is a cloud-delivered classification — the !cl
suffix means it came from Defender's cloud ML, not local signatures.

As of 26 May, Microsoft appears to have withdrawn this classification:

• VirusTotal rescan shows Microsoft as Undetected
• Local testing with updated signatures, PUA protection enabled, and cloud-delivered protection connected also shows
  clean

Recommended Actions

1. Update your Defender signatures (Update-MpSignature in PowerShell)
2. Re-download and scan the release — the detection should no longer occur
3. If the detection persists in your environment, it may be coming from a custom MDE indicator or policy — the
   allowlisting approach (https://learn.microsoft.com/en-us/defender-endpoint/indicator-certificates) linked above would
   be the recommended path.

[cerede2000]

My Microsoft Defender signatures are up to date:

I'm working on an unmanaged machine, in a Workgroup.

However, following your message, I just tried again to download version 3.5.1.31.

It is still blocked by MS Defender:

Thank you for the Microsoft procedure; however, it would be preferable if a tool of your reputation weren't detected in this way.

I work with various clients, and I'm hesitant to use this version with them for fear of alerting the SOC teams.

This is very frustrating for me.

[cerede2000]

Do you plan to fix this problem soon ?

VirusTotal PingCastle.exe goes back 10 :

I still can't use this version.

[RichardHNetwrix]

We've managed to reproduce the issue and found it's triggered specifically when downloading from GitHub. GitHub release assets are treated much more strictly by defender. Here is a direct download link to the Netwrix Hosted version which we haven't seen these detections on, even though the files are the same.

Download: https://releases.netwrix.com/products/pingcastle/3.5/pingcastle-standard-3.5.1.31.zip
Checksum: https://releases.netwrix.com/products/pingcastle/3.5/pingcastle-standard-3.5.1.31.zip.sha256.txt

We've submitted the 3.5.1.31 release to Microsoft for a false-positive review. Once Microsoft reclassifies it, the Trojan:Win32/Tecabans.STV!cl detection should be withdrawn, regardless of download source.

[cerede2000]

I confirm that even from the releases.netwrix.com link, Microsoft Defender raises the alert and immediately deletes the file.

Defender just updated:

At the moment, no changes have been taken into account on Microsoft's side.

[RichardHNetwrix]

We've created a test release build that should solve the problem. Can you please confirm if these links are now working for you?

https://releases.netwrix.com/products/pingcastle/3.5/pingcastle-standard-3.5.1.33.zip
https://releases.netwrix.com/products/pingcastle/3.5/pingcastle-standard-3.5.1.33.zip.sha512.txt

[JoeDibley]

@cerede2000 Please do let us know how you get on. If this is working for you without getting flagged we will look to get this merged into a small release so it won't impact others too

[cerede2000]

Hi
@JoeDibley, @RichardHNetwrix

Unfortunately, I am experiencing the same problem.

[JoeDibley]

We will have a new release out soon. We identified that it was specifically the addition of the CIM Hotfix helper so will remove that for the time-being whilst we see if we can re-implement without triggering Defender.