Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trojan found via winget update #1867

Open
Sjoo90 opened this issue Aug 20, 2024 · 6 comments
Open

Trojan found via winget update #1867

Sjoo90 opened this issue Aug 20, 2024 · 6 comments

Comments

@Sjoo90
Copy link

Sjoo90 commented Aug 20, 2024

This came up for me when I runned winget update --all for Volta.Volta

It's swedish, but I think you can find out.
image
@Sjoo90
Copy link
Author

Sjoo90 commented Aug 20, 2024

image

@charlespierce
Copy link
Contributor

Hi @Sjoo90, that's odd! The MSI was built by our CI job (like all of our other releases). Are there any more details about why that antivirus thinks it's a trojan?

@jsejcksn
Copy link
Contributor

VirusTotal shows no detections of malicious behavior for that MSI artifact…

…but there is a note about potential false positive alerts that might be generated for the file:

⚠️ Matches rule Windows_API_Function from ruleset Windows_API_Function at https://github.com/InQuest/yara-rules-vt by InQuest Labs

This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.

@Sjoo90 Does the SHA256 checksum match? (You can use the Get-FileHash PowerShell utility on Windows to generate checksums.) The expected hash is

61c49446a032c077695f922cefeddc96f546de2a5f4be043d8428ce44a1b90e8

@Sjoo90
Copy link
Author

Sjoo90 commented Aug 21, 2024

image

After uninstall and install again via winget, I still get trojan warning:
image

@charlespierce
Copy link
Contributor

charlespierce commented Aug 21, 2024
edited
Loading

Hi @Sjoo90 similar to @jsejcksn, I'm not seeing any issues with the installer. I cleared it out, installed from winget, then ran a full Windows Defender scan on my machine and found no vulnerabilities.

Given that the SHA matches the expected value (which I think is required by Winget anyway), my only hypothesis right now is that you're running into a false positive with the virus scan. If there are more details about what is found, that might help us understand why it's getting flagged as a false positive (though in my experience, virus scan programs are light on details to not give attackers more info than necessary on how to evade).

Edit: Another possibility - Could volta.exe be infected by something after the installation? Can you calculate the hash of the file on disk? I was able to get a SHA512 value using the following command:

certutil -hashfile 'C:\Program Files\Volta\volta.exe' SHA512

Which gave me the following hash on the file installed from Winget:

efc61525f634358f3cb4bacc1ef5b4f02d3985254038da61c5a86db74296583254a78bc9efb5bedd6246033551af3fcbe3f5196e95aea8c53a50f88d9bf70cb3

@charlespierce
Copy link
Contributor

Alternatively, using Get-FileHash I get the SHA256 of volta.exe to be:

C6EB40664964ED96E29D6E24E5948448BCDCFA29EE742FBE7B928458B4C4BF5F

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jsejcksn @Sjoo90 @charlespierce