Open Bug 1647533 Opened 4 years ago Updated 3 months ago

mozregression-gui.exe detected as Trojan:Win32/Zpevdo.B

Categories

(Testing :: mozregression, defect)

defect

Tracking

(Not tracked)

People

(Reporter: valflaux, Assigned: zeid)

References

Details

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

Download mozregression for Windows from github : https://github.com/mozilla/mozregression/releases/download/4.0.6/mozregression-gui.exe
Scan the file with Windows Defender.

Actual results:

The file is detected as Trojan:Win32/Zpevdo.B

It's Trojan:Win32/Zpevdo.A and Trojan:Win32/Zpevdo.B for me.

Checksum for my mozregression-gui.exe from 4.0.6 release:
SHA1: 65533AEC46FDEC653159E362C737A788DA64B4EA
SHA256: 2720126B06D83C352FFFF55D9F0FCE7E09D4141E3ABD8AC1D12900F38032E282

I used this version yesterday and Windows Security did not prompt for any virus alerts.

Note:
I opened the program (4.0.6) and it still prompted for an update to 4.0.6. I checked the version in about and it said it's version 4.0.7.dev0+[a bunch of letters].

There's no virus alerts for 4.0.5.

(In reply to Fanolian from comment #1)

It's Trojan:Win32/Zpevdo.A and Trojan:Win32/Zpevdo.B for me.

Antivirus definition is Version 1.319.26.0.

Description of this update according to Microsoft:

The latest security intelligence update is:

Version: 1.319.26.0
Engine Version: 1.1.17200.2
Platform Version: 4.18.2005.5
Released: 6/23/2020 7:30:42 AM

More info about the update can be found at https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes

Unfortunately mozregression has some elements (as an executable program) indistinguishable from a virus; this is essentially the same issue as this one:

https://github.com/spesmilo/electrum/issues/4986#issuecomment-451385953

Rest assured that the rights to upload executables and packages to github and pypi is strictly controlled, and that mozregression itself should be safe as any piece of open source software. The real solution to this is bug 1366570, but I don't have the time/resources to work on that myself.

I'll leave this open for now, since it is a "real" problem if not one that is easily solved by itself.

Depends on: 1366570

Looks like it may be possible to tell microsoft that we are not a virus:

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide

We managed to tell Microsoft that geckodriver was not a virus, prior to it being signed, so there is evidence that can actually work :)

(In reply to William Lachance (:wlach) (use needinfo!) from comment #4)

Looks like it may be possible to tell microsoft that we are not a virus:

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/submission-guide

Gave this a try. According to their portal, "no malware was detected". <Shrug>. I'm going to follow up (just a little) on how possible it might be to create signed copies of mozregression, which would address this issue.

:whimboo did the signing stuff for geckodriver; we moved it in-tree to use the Mozilla signing key. idk if that's a reasonable thing to do with mozregression, but perhaps?

(In reply to James Graham [:jgraham] from comment #7)

:whimboo did the signing stuff for geckodriver; we moved it in-tree to use the Mozilla signing key. idk if that's a reasonable thing to do with mozregression, but perhaps?

Moving mozregression in-tree is probably a non-starter (at least for me), but maybe using codesigning might be possible if we moved mozregression's CI to taskcluster? I asked catlee about this in bug 1366570

The severity field is not set for this bug.
:wlach, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(wlachance)
Severity: -- → N/A
Flags: needinfo?(wlachance)

The severity field is not set for this bug.
:wlach, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(wlachance)
Flags: needinfo?(wlachance)

The severity field is not set for this bug.
:wlach, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(wlachance)
Severity: N/A → S2
Flags: needinfo?(wlachance)

Upgraded to pyinstaller 4.0 for 4.0.13, which seems to no longer be detected as a virus (probably because it has a slightly different signature). Of course this is not a long term fix.

Mozregression is being picked up as malware again. I tried to install it on Windows a few days ago and was unsuccessful in getting it to run. A user is also reporting it getting detected as a virus in bug 1668686.

It seems that the mozregression-gui.exe file is deleted right after download if using Cisco AMP 7.2.11.11804 antivirus and the file is displayed as a trojan virus.

Status: UNCONFIRMED → NEW
Ever confirmed: true

As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?

https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts

Flags: needinfo?(mihai.boldan)

(In reply to William Lachance (:wlach) (use needinfo!) from comment #15)

As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?

https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts

I was able to download the file and to install it. It seems that your fix is the solution.
Note that I tested this only with Cisco AMP 7.2.11.11804 antivirus.

Flags: needinfo?(mihai.boldan) → needinfo?(wlachance)

(In reply to Mihai Boldan, QA [:mboldan] from comment #16)

(In reply to William Lachance (:wlach) (use needinfo!) from comment #15)

As yet another workaround, I wrote up a quick experiment with running upx on the generated executable, which according to some reports online should workaround this problem. Mihai, could you give it a try?

https://ci.appveyor.com/project/wlach/mozregression/builds/35816082/artifacts

I was able to download the file and to install it. It seems that your fix is the solution.
Note that I tested this only with Cisco AMP 7.2.11.11804 antivirus.

Just released 4.0.15 with this change:

https://github.com/mozilla/mozregression/releases/tag/4.0.15

Flags: needinfo?(wlachance)

I'm seeing it flagged by Defender as Trojan:Win32/Wacatac.G!ml in 4.0.15.

I managed to investigate more and here is what I encountered:

  • I confirm that the 4.0.15 build can't be downloaded if Windows Defender is available, but if I use the try build from Comment 15, things are working just fine(build can be downloaded and installed).
  • Also with AVG antivirus there are some problems. Build is downloaded, but mozregression can't be installed if I use the 4.0.15 build.
  • Again, with AVG antivirus, the mozregression can be downloaded from the link displayed in Comment 15 and the app can be installed, but a problem occurs when trying to open mozregression (mozregression-gui.exe). The executable file is automated deleted by the antivirus.
  • With Kaspersky antivirus it seems that the file can be downloaded and installed without any problems.

Note that for testing these versions of antiviruses were used:

  • Kaspersky 11.0.1.90
  • AVG 20.8.3147
  • Windows Defender 4.18.2009.7
    Wiliam, please let me know if I can help any further with the investigation.
Flags: needinfo?(wlachance)

4.0.15 is triggering antivirus for me too (I'm running AVG 20.8.3147 but Windows Defender is triggering too even though it's nominally off). The installer triggered Windows Defender but not AVG so I allowed the installation to proceed. However, the primary executable triggered AVG. In fact, I had to turn off anti-virus temporarily even just to upload the executable to VirusTotal (adding an exception for this file was not enough to allow upload).

Passing the unpacked executable to VirusTotal shows 19 engines detecting a problem with moderate confidence including mainstream AV products (AVG, Avira, BitDefender, Microsoft, Symantec), see https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/detection.

Looking at the behaviour in the antivirus sandbox (https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/behavior) shows enough suspicious behaviour (system registry keys written, system registry keys deleted, windows services terminated) that I am not prepared to run the executable (a Windows expert may be able to say these are all harmless, but they're not obviously clean).

In contrast 0.9.46 triggers just three obscure AV engines at low confidence, https://www.virustotal.com/gui/file/48682733dd4aaca242165e520ce7ba67ca9743fa07274ab49046c5406764f805/detection, and shows much more innocuous sandbox behaviour.

I'm going to try my bisection with 0.9.46 which doesn't have any AV issues.

Ok, it sounds like compressing with upx isn't really a solution...

(In reply to Steven Singer from comment #20)

...
Looking at the behaviour in the antivirus sandbox (https://www.virustotal.com/gui/file/c3ad4ed82927cd7af7acf420d1c1abce85c556162d6ea30a3851c0c7f2054538/behavior) shows enough suspicious behaviour (system registry keys written, system registry keys deleted, windows services terminated) that I am not prepared to run the executable (a Windows expert may be able to say these are all harmless, but they're not obviously clean).

That is indeed the file (the byte size matches what was produced by CI: https://ci.appveyor.com/project/wlach/mozregression/branch/master)

I suspect those are just default registry keys that would be set incidentally when an executable is run, though I don't blame you for being suspicious!

In contrast 0.9.46 triggers just three obscure AV engines at low confidence, https://www.virustotal.com/gui/file/48682733dd4aaca242165e520ce7ba67ca9743fa07274ab49046c5406764f805/detection, and shows much more innocuous sandbox behaviour.

0.9.46 was built using cxFreeze (https://cx-freeze.readthedocs.io/en/latest/) which is more obscure (and thus probably less virus/trojans created with it)

Talking with :glob, it sounds like what we might want to try is submit the .exe file to malware vendors to let them know it's harmless (signing, which I thought was the solution before might help with some, but not others).

Flags: needinfo?(wlachance)

Adding compression may trick some basic antiviruses but better antiviruses get "extra paranoid" once an .exe file is compressed. I wonder if you can ship a chocolatey package installing all the dependencies and ship plain Python files. https://chocolatey.org

This is still a problem with mozregression 4.0.15. Firefox and Windows Defender block the download of the mozregression installer. If I work around the download block and run the installer, Windows Defender then blocks the installed mozregression-gui.exe in Program Files.

Windows Defender classifies mozregression-gui.exe as:

Trojan:Win32/CryptInject!ml
Trojan:Win32/Ymacco.AAA7
Trojan:Win32/Zpevdo.B

4.0.15 SHA-256:
E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855

Still hits 4.0.15 on W10 for me as well (will attach screenshot).

mozregression Gui version 4.0.15
Windows version 20H2 19042.746
Antimalware Client Version: 4.18.2011.6
Engine Version: 1.1.17700.4
Antivirus Version: 1.329.3163.0
Antispyware Version: 1.329.3163.0

I've submitted the most recent installer and gui executable (post install) to Microsoft for analysis as false positives (via https://www.microsoft.com/en-us/wdsi/filesubmission). I'll report back if I hear anything.


(In reply to Richard Leger from comment #27)

Created attachment 9200950 [details]
mozregression-gui-exe-contains-virus.png

I tried to download the latest version 4.0.15 of mozregression-gui.exe for Windows as released on 21 Oct 2020 in Firefox and it is detected as a virus by Firefox itself... I do use Windows Defender as AV...

Looks like a false positive due to the safe browsing lists used for detection[0]. I'm not familiar with this, but have attempted to submit a false positive report. If we keep seeing this behaviour I'll see if I can prod some more.

[0] https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work

(In reply to Bryce Seager van Dyk (:bryce) from comment #28)

I've submitted the most recent installer and gui executable (post install) to Microsoft for analysis as false positives (via https://www.microsoft.com/en-us/wdsi/filesubmission). I'll report back if I hear anything.

Microsoft have followed up for both cases and state the detection of these cases should be removed. I'm not sure how fast the definitions roll out, but will keep an eye out to see if these stop getting picked up in the near future.

Edit: Part of the instructions from Microsoft include the following to clear my cached entries

  1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
  2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
  3. Run "MpCmdRun.exe -SignatureUpdate"

I was still having issues until I did this, and now the files no longer appear to be picked up. My hope is that this happens without prompting at some point and the above steps just speed up the process.

Attached image mozregression.jpg

mozregression 4.0.15

I get the error from Firefox Nightly.

(In reply to erosman from comment #31)

Created attachment 9206942 [details]
mozregression.jpg

mozregression 4.0.15

I get the error from Firefox Nightly.

That's Google's safe browsing list giving a false positive. I've submitted a request to them, but the situation is pretty opaque, and since I don't own github (if you own the site, Google have some more tooling available) it's hard to know if any progress has been made.


William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.

Flags: needinfo?(wlachance)

(In reply to Bryce Seager van Dyk (:bryce) from comment #32)

William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.

What do you think about doing a new release? There have been some minor improvements since 4.0.15. I don't know how much trouble it is to resubmit to Windows defender though.

Flags: needinfo?(wlachance)

That sounds good too. It wasn't a major hassle to submit to Microsoft, I'm happy to do it again if needed.

(In reply to Bryce Seager van Dyk (:bryce) from comment #32)

(In reply to erosman from comment #31)

mozregression 4.0.15

I get the error from Firefox Nightly.

That's Google's safe browsing list giving a false positive. I've submitted a request to them, but the situation is pretty opaque, and since I don't own github (if you own the site, Google have some more tooling available) it's hard to know if any progress has been made.

How is "Google safe browsing list" related to Firefox? Is that a specific AMO addon?

Flags: needinfo?(bvandyk)

(In reply to Dan from comment #35)

How is "Google safe browsing list" related to Firefox? Is that a specific AMO addon?

It's part of the browser, no addon required. See https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#w_how-does-phishing-and-malware-protection-work-in-firefox

Flags: needinfo?(bvandyk)

It appears that the next version of pyinstaller has some fixes which should make it less likely to be picked up as a virus:

https://github.com/pyinstaller/pyinstaller/commit/93285ece5a02932c6dac8f018bf107e7618d7d3c

I'll try to spin a new version soon regardless. Unfortunately there are some other things I need to fix first (e.g. bug 1686039)

(In reply to Bryce Seager van Dyk (:bryce) from comment #36)

William, since 4.0.15 is still getting flagged in some cases, and the download is flagged by Google, could we remove it and fall back to 4.0.14? Both releases are no longer being flagged by Windows defender as far as I can tell, and 4.0.14 has the benefit of Google don't have a false positive for it.

Hey Bryce, sorry for the delay. A new version of mozregression is available here: https://github.com/mozilla/mozregression/releases/tag/4.0.16

No problem and thanks!

I've just run the new installer on my Windows box and it seems happy -- no issues from Windows Defender. I'll keep an eye on it, and will submit to MS if I run into any issues or if folks report anything here.

Windows Defender giving me alerts for 4.0.16

Program:Win32/Ymacco.AA74
file: C:\Program Files (x86)\mozregression-gui\mozregression-gui.exe
file: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
startup: C:\Users*
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk

I noticed they started flagging the file after some delay (sadly, the safe browsing list seems to have flagged it too, so downloading the file causes issues too). I submitted the file to MS, but they seem to have been slow to action it, and my case went unresolved for 30 days after which it can no longer be queried. So I've resubmitted the file.

Will, if it's low overhead, could a new -pre version be built to help QA - they are having issues with the older (0.9x?) versions on new Windows 10 versions. Thank you.

Flags: needinfo?(wlachance)

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #42)

Will, if it's low overhead, could a new -pre version be built to help QA - they are having issues with the older (0.9x?) versions on new Windows 10 versions. Thank you.

:aryx, could you or someone else test this build:

https://ci.appveyor.com/project/wlach/mozregression/builds/39038592/artifacts

It should have the newer version of pyinstaller which will hopefully trigger less false positives.

Flags: needinfo?(wlachance) → needinfo?(aryx.bugmail)

Thanks for the quick turnaround, the program launches and bisecting works. A scan with Antivir didn't report issues. Shall the exe or installer be uploaded to virustotal?

Flags: needinfo?(aryx.bugmail)

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #45)

Thanks for the quick turnaround, the program launches and bisecting works. A scan with Antivir didn't report issues. Shall the exe or installer be uploaded to virustotal?

Ideally both, but let me cut a new release first. Will do this tomorrow

Just released 4.0.17 which might be less susceptible to being picked up as a virus due to https://github.com/mozilla/mozregression/pull/857:

https://github.com/mozilla/mozregression/releases/tag/4.0.17

If people want to submit this one to the various anti-virus places, I would appreciate.

If people want to submit this one to the various anti-virus places, I would appreciate.

Can do for Microsoft. I think my resubmission of the 4.0.16 executable has now been approved by them. Will keep an eye on 4.0.17 to see if it starts getting flagged. If anyone notices it being flagged and I haven't made a comment about submitting it, feel free to NI me to prompt me to do so.

virustotal.com reports the following suites as flagging the installer:

 SecureAge APEX

Malicious

Cybereason

Malicious.bd81cf

FireEye

Generic.mg.29590d0714f37d0c

GData

Win32.Trojan.PSE.IHZW2J

Zillya

Trojan.Agent.Script.1086024

Highlighted calls are:

GetTickCount
GetSystemMetrics
SetFileTime

13/69 AV suites flag the mozregression-gui.exe.

(In reply to alex_mayorga from comment #50)

¡Hola Bryce!

Hope these lines find you well.

https://github.com/mozilla/mozregression/releases/download/4.0.17/mozregression-gui.exe is still flagged as https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3aWin32%2fZpevdo.B&threatid=2147729093

Can you please submit it?

¡Gracias!
Alex

Thank you for the heads up. I have submitted the file. I'll report back if I hear from Microsoft.

I see the same issue locally, but the identification of the file appears unstable -- I can get different results from different scans of it. Hopefully the submission takes care of all of them.

Flags: needinfo?(bvandyk)

Thank you for the heads up. I have submitted the file. I'll report back if I hear from Microsoft.

Submission has come back and file should be cleared. Local tests are okay -- installer runs without issue, installed mozregression-gui runs without issue. Feel free to NI me if issues crop up.

Windows Defender giving me alerts for mozregression release 4.0.18

Identified Program:Win32/Zpevdo.B

effected files:
file: C:\Program Files (x86)\mozregression-gui\mozregression-gui.exe
file: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk
startup: C:\Users*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\mozregression-gui\mozregression-gui.lnk

I'm seeing the same described in comment #53, does it mean 4.0.18 should also be submitted to Microsoft?

Flags: needinfo?(bvandyk)

(In reply to Kagami :saschanaz from comment #54)

I'm seeing the same described in comment #53, does it mean 4.0.18 should also be submitted to Microsoft?

Sounds like it should. I've been meaning to, but have been a bit bogged down. I'll try and look at getting it done early next week. Holding NI.

Submitted the exe from 4.0.18. Will update should I hear back.

Flags: needinfo?(bvandyk)

(In reply to Bryce Seager van Dyk (:bryce) - away until 2021.08.02 from comment #56)

Submitted the exe from 4.0.18. Will update should I hear back.

4.0.18 binary should now be clear for Windows defender rules.

See Also: → 1860390

The only way to fix this is for the mozregression devs to submit mozregression .exe to https://www.microsoft.com/en-us/wdsi/filesubmission . Can you please do this, zeid?

Flags: needinfo?(zeid)

Working on this. I am also checking to see if there is an alternative to the way we are bundling it to prevent this in a more robust way.

Flags: needinfo?(zeid)
Assignee: nobody → zeid

Another thing we could do is to add an automatic VirusTotal check upon each release, which at least will alert us before distributing the signed binaries of possible virus/malware detection, then we can manually submit those binaries to Microsoft via the malware analysis tool as needed. This will only pick up issues that are detectable at release time, but it might reduce the amount of unexpected issues after release.

Depends on: 1881777
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: