Virus concern

SeairthSeairth Posts: 2,244
edited July 4 in Accessories Vote Up1Vote Down
I just downloaded 32220-PropScope-USB-Software-207.zip, and Windows Defender immediately warned that it contained the trojan "Win32/Rundas.B". Can someone at Parallax confirm whether this is a false positive?


Edit: Good news. It seems to have been a false positive. After the next virus definition update installed, Defender no longer saw it as a threat. If you encounter a similar issue, just make sure the checksum matches the ones listed below.

Edit: Nope. I downloaded the wrong version. When I download the version in question, with the new definition file, I still get the warning.

Comments

  • 13 Comments sorted by Date Added Votes
  • Just downloaded 207 and 205 versions, to WIN10 machine, then scanned with Defender.
    Came up clean.

    Any chance your download interrupted before the end? Maybe try downloading again?
  • SeairthSeairth Posts: 2,244
    edited July 1 Vote Up0Vote Down
    Same as before. Downloads, then complains of same virus. I'm running a full system scan right now.

    Edit: 205 downloads just fine. It seems to be only 207 that Defender doesn't like.
  • Interesting. I'm checking for Defender version details in case yours differ....

    I get this...
    Last thread definition update: 7/1/2017

    The "%ProgramFiles%\Windows Defender\MpCmdRun.exe" version is:
    4.11.15063, dated 3/18/2017 9:56 PM

  • PublisonPublison Posts: 9,772
    edited July 1 Vote Up0Vote Down
    I had a couple of products from Hanno, (Viewport, 12 Blocks), that reported a virus, but they installed just fine.

    I believe I was using AVG Free at the time.

    Infernal Machine
  • Publison wrote: »
    I had a couple of products from Hanno, (Viewport, 12 Blocks), that reported a virus, but they installed just fine.

    OK, so the files could be packaged outside Parallax.

    AFAIK, Hanno used Visual-Studio to develop his code. For one MS product to false-fail another is a tad concerning. Perhaps there's some "special" sealed 3rd party libraries included, which are causing the flag-waving.

  • SeairthSeairth Posts: 2,244
    edited July 1 Vote Up0Vote Down
    VonSzarvas wrote: »
    Interesting. I'm checking for Defender version details in case yours differ....

    I get this...
    Last thread definition update: 7/1/2017

    The "%ProgramFiles%\Windows Defender\MpCmdRun.exe" version is:
    4.11.15063, dated 3/18/2017 9:56 PM

    That appears to be the same for me (thread definition file is 1.247.388.0).

    Edit: I get the same behavior if I download with Edge instead of Chrome, so it doesn't appear to be something the browser is doing.

    And, unfortunately, Defender is just unilaterally deleting the download, so I can't take a closer look at it.

    Also, if I test the URL through Kaspersky's online scanner (and a few others), it reports clean.
  • SeairthSeairth Posts: 2,244
    edited July 1 Vote Up0Vote Down
    Ok. I was able to get the thing to download without being deleted. Can someone provide the the SHA1 hash for the zip and/or exe inside it?

    Edit: I'm getting hashes ending with E9DF77DC for the exe and FF49033D for the zip.
  • Here goes:
    350 x 188 - 5K
    343 x 188 - 5K
  • *sigh* I wish I knew what was going on here. Checksums match, and I am presumably using the same exact virus definition file and version of Defender. So why am I getting different results???
  • I get the same results. It's not the first false positive Defender has encountered. Malwarebytes is okay with it.
    Windows Defender has taken action to protect this machine from malware or other potentially unwanted software.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Rundas.B&threatid=2147720787&enterprise=0
     	Name: Trojan:Win32/Rundas.B
     	ID: 2147720787
     	Severity: Severe
     	Category: Trojan
     	Path: containerfile:_C:\Users\jon\Desktop\32220-PropScope-USB-Software-207.zip;file:_C:\Users\jon\Desktop\32220-PropScope-USB-Software-207.zip->propscope207.exe;file:_C:\Users\jon\Desktop\32220-PropScope-USB-Software-207\propscope207.exe;webfile:_C:\Users\jon\Desktop\32220-PropScope-USB-Software-207.zip|https://www.parallax.com/sites/default/files/downloads/32220-PropScope-USB-Software-207.zip|chrome.exe
     	Detection Origin: Local machine
     	Detection Type: FastPath
     	Detection Source: Downloads and attachments
     	User: NT AUTHORITY\SYSTEM
     	Process Name: C:\Program Files\WinRAR\WinRAR.exe
     	Action: Quarantine
     	Action Status:  No additional actions required
     	Error Code: 0x00000000
     	Error description: The operation completed successfully. 
     	Signature Version: AV: 1.247.459.0, AS: 1.247.459.0, NIS: 117.2.0.0
     	Engine Version: AM: 1.1.13903.0, NIS: 2.1.13804.0
    
  • xanaduxanadu Posts: 3,105
    edited July 4 Vote Up0Vote Down
    Seairth wrote: »
    *sigh* I wish I knew what was going on here. Checksums match, and I am presumably using the same exact virus definition file and version of Defender. So why am I getting different results???

    I think this is why Defender has an issue with it. It has something to do with the archive, the .exe itself passes Defender scans.

    I just noticed you said the checksums match, I thought you said they didn't. Nevermind me...

  • VonSzarvasVonSzarvas Posts: 1,040
    edited July 4 Vote Up0Vote Down
    @xanadu Your log shows:
    Process Name: C:\Program Files\WinRAR\WinRAR.exe

    Could that be something? I don't have WinRAR installed on my machine; rather 7z instead. Playing "spot the difference" here :)

    @Seairth What zip software do you get listed by Defender in the fail-report?


    Hmm.... Doesn't Win10 had it's own unzipper.... why would Defender even use WinRAR for that?

    *sigh*2

  • xanaduxanadu Posts: 3,105
    edited July 4 Vote Up0Vote Down
    The .zip file on the website needs to be replaced. Re-zip the .exe and upload it to the server and problem solved.

    If I make my own zip of the .exe Defender has no issues with it. Something about the original compression method sets off defender, it has nothing to do with the .exe file, only the way it was compressed. I guess you could say Defender has a role in it as well.


    Arg, I had Defender off. Nevermind me *2

Sign In or Register to comment.