Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attempt to prevent false positive detections by Windows Defender #443

Merged
merged 40 commits into from
Mar 7, 2024

Conversation

kachick
Copy link
Owner

@kachick kachick commented Mar 7, 2024

Resolves Closes #442

Partially revert 8d23e76 to debug #442
@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

~ psh
> cd "\\wsl.localhost\Ubuntu-22.04\home\kachick\repos\dotfiles"

kachick\repos\dotfiles via 🐹 v1.22.1 psh
> go build
go: RLock go.mod: Incorrect function.

golang/go#37461 🙄
golang/go#48572

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

cp -r "\\wsl.localhost\Ubuntu-22.04\home\kachick\repos\dotfiles" .\tmp\
cd .\tmp\dotfiles\
go build -o dist ./...
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File .\dist\winit-conf.exe
Scan starting...
CmdTool: Failed with hr = 0x80508023. Check C:\Users\YOU\AppData\Local\Temp\MpCmdRun.log for more information

https://learn.microsoft.com/ja-jp/powershell/scripting/learn/shell/running-commands?view=powershell-7.4|

https://answers.microsoft.com/en-us/windows/forum/all/error-code-0x80508023-with-windows-defender/3b37fc4d-8763-445d-9319-3e9b5a27800d

https://jikkenjo.net/1788.html

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
! & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\mksym.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\mksym.exe found no threats.

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
! & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\winit-conf.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\winit-conf.exe found no threats.

dotfiles rebel-for-ms-cop(e385403)  ≡via 🐹 v1.22.1 psh
> & "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "$(pwd)\dist\winit-reg.exe"
Scan starting...
Scan finished.
Scanning C:\Users\YOU\tmp\dotfiles\dist\winit-reg.exe found no threats.

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

💭 Getting GitHub artifact needs the auth header https://docs.github.com/ja/rest/actions/artifacts?apiVersion=2022-11-28#get-an-artifact, I want release #417

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050

Signature update started . . .
Service Version: 4.18.24010.12
Engine Version: 1.1.24020.9
AntiSpyware Signature Version: 1.40[7](https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050#step:9:8).[8](https://github.com/kachick/dotfiles/actions/runs/8183096127/job/22375449050#step:9:9).0
AntiVirus Signature Version: 1.407.8.0
Signature update finished. No updates needed
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-conf_windows_amd64_v1\winit-conf.exe was skipped.
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-reg_windows_amd64_v1\winit-reg.exe was skipped.

🤔 Why skipped the 👮‍♂️

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

🎉

1987087

Signature update started . . .
Service Version: 4.18.24010.12
Engine Version: 1.1.24020.[9](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:9:10)
AntiSpyware Signature Version: 1.407.8.0
AntiVirus Signature Version: 1.407.8.0
Signature update finished. No updates needed
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-conf_windows_amd64_v1\winit-conf.exe found no threats.
Scan starting...
Scan finished.
Scanning D:\a\dotfiles\dotfiles\dist\winit-reg_windows_amd64_v1\winit-reg.exe found no threats.

💭 But ... why detected in my client with same logic binary...

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

With the provided path, there will be 2 files uploaded
Artifact name is valid!
Root directory input is valid!
Beginning upload of artifact content to blob storage
Uploaded bytes 1444426
Finished uploading artifact content to blob storage!
SHA256 hash of uploaded artifact zip is 21f71e16e3ccea63dbd5d1fe72fc0b4eecb[9](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:10)5dce90cb00022238a865a9e3d020
Finalizing artifact upload
Artifact winit.zip successfully finalized. Artifact ID [13](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:14)04707506
Artifact winit has been successfully uploaded! Final size is [14](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:15)44426 bytes. Artifact ID is 1304707506
Artifact download URL: https://github.com/kachick/dotfiles/actions/runs/8[18](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:8:19)3[1](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:1)96[4](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:5)02/artifacts/1304707[5](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:6)0[6](https://github.com/kachick/dotfiles/actions/runs/8183196402/job/22375703758?pr=443#step:11:7)

Still detect for this zip 😠

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -DynamicSignatures

It removes all dynamic signatures and & "C:\Program Files\Windows Defender\MpCmdRun.exe" -SignatureUpdate does NOT append again 🤣

Then my artifact will not be detected as CI, so this is the guilty reason...

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

I need MS help to beat MS

スクリーンショット 2024-03-07 154430

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

image

You're welcome. Here is the translation of my answer in English:

Dynamic Signatures are a feature that allows you to download definitions to deal with new threats through a cloud-based service called Microsoft SpyNet. To enable Dynamic Signatures, you need to turn on cloud-based protection and automatic sample submission in Windows Security settings. By enabling Dynamic Signatures, Windows Defender can provide more advanced protection.

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

スクリーンショット 2024-03-07 155517

Enabling all, but empty list

Toggled some options and wait some times, the list appeared again. I didn't know which option is the treasure...

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

image

Hello, this is Copilot. Let's talk about MpCmdRun.exe and Dynamic Signatures.

You are correct that `MpCmdRun.exe -ListAllDynamicSignatures` lists the enabled Dynamic Signatures, which are definitions that are downloaded from Microsoft SpyNet to deal with new threats¹. You can also use `MpCmdRun.exe -AddDynamicSignature` to load Dynamic Signatures from a local file or a network share².

The -PATH parameter of AddDynamicSignature specifies the location of the Dynamic Signature file that you want to load. The file must be in the CAB format and contain a valid signature set². You can obtain such a file from Microsoft or create your own using the Dynamic Signature Authoring Tool³.

The SignatureSet ID that is shown by ListAllDynamicSignatures is a unique identifier for each Dynamic Signature that is loaded. You can use this ID to remove a specific Dynamic Signature using the command `MpCmdRun.exe -RemoveDynamicSignature -SignatureSetID <ID>`².

I hope this helps you understand how to use MpCmdRun.exe and Dynamic Signatures. If you have any other questions, please let me know.

ソース: Bing との会話 2024/3/7
([1](https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide)) コマンドラインを使用して Microsoft Defender ウイルス対策を管理 .... https://learn.microsoft.com/ja-jp/microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus?view=o365-worldwide.
([2](https://wa3.i-3-i.info/word13502.html)) MpCmDRun.exeとは|「分かりそう」で「分からない」でも .... https://wa3.i-3-i.info/word1350[2](https://wa3.i-3-i.info/word13502.html).html.
([3](https://news.mynavi.jp/article/win10tips-410/)) Windows Defenderの定義ファイルを手動で更新する - マイナビ .... https://news.mynavi.jp/article/win10tips-410/.
(4) Windows Defenderをコマンド操作しよう | nobwak's Lair. https://nobwak.github.io/posts/windows-defender%E3%8[2](https://wa3.i-3-i.info/word13502.html)%92%E3%82%B3%E3%83%9E%E3%83%B3%E3%83%89%E6%93%8D%E4%BD%9C%E3%81%97%E3%82%88%E3%81%86/.
(5) Microsoft Defender ウイルス対策をコマンドで操作する方法 .... https://4thsight.xyz/8270.

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

image

Hello, this is Copilot. I'm glad you found the reference helpful. Of course, you can ask more questions.

[According to the web search results](https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/)¹², Windows Server 2022 is now available on GitHub-hosted runners, and it supports Visual Studio 2022 and Windows PowerShell 7.2. However, it seems that Dynamic Signatures are not enabled by default on Windows Server 2022, unlike Windows [1](https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/)1.

To enable Dynamic Signatures on Windows Server [2](https://github.blog/changelog/2022-01-11-github-actions-jobs-running-on-windows-latest-are-now-running-on-windows-server-2022/)022, you need to do two things:

- First, you need to join the Microsoft SpyNet community, which is a cloud-based service that provides Dynamic Signatures to Windows Defender. You can do this by setting the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet\JoinMicrosoftSpyNet` to `1`³.
- Second, you need to configure the Windows Defender settings to allow cloud-based protection and automatic sample submission. You can do this by using the PowerShell cmdlets or the registry keys that I explained in my previous answer.

After doing these steps, you should be able to see the Dynamic Signatures in the output of `MpCmdRun.exe -ListAllDynamicSignatures`. You can also use the `Get-MpComputerStatus` cmdlet to check the status of the Dynamic Signatures⁴.

I hope this helps you understand how to enable Dynamic Signatures on Windows Server 2022. If you have any other questions, please let me know.

ソース: Bing との会話 2024/[3](https://github.com/github/roadmap/issues/241)/7
(1) GitHub Actions: Windows Server 2022 with Visual Studio 2022 .... https://github.blog/changelog/2021-11-16-github-actions-windows-server-2022-with-visual-studio-2022-is-now-generally-available-on-github-hosted-runners/.
(2) GitHub Actions: Jobs running on `windows-latest` are now .... https://github.blog/changelog/2022-01-11-github-actions-jobs-running-on-windows-latest-are-now-running-on-windows-server-2022/.
(3) Actions: Windows Server 2022 on GitHub-hosted runners #2[4](https://newreleases.io/project/github/actions/runner-images/release/win22%2F20240128.1)1. https://github.com/github/roadmap/issues/241.
(4) ️ Actions Runner Image: Windows Server 2022 - NewReleases.io. https://newreleases.io/project/github/actions/runner-images/release/win22%2F20240128.1.
(5) Trigger Windows22 CI · Workflow runs · actions/runner-images. https://github.com/actions/runner-images/actions/workflows/windows2022.yml.

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

image

@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

image

image

@kachick kachick mentioned this pull request Mar 7, 2024
@kachick
Copy link
Owner Author

kachick commented Mar 7, 2024

https://github.com/kachick/dotfiles/actions/runs/8188096063 detect - 956b773
https://github.com/kachick/dotfiles/actions/runs/8188170201 next artifact, not detect - 8eca3a6

956b773...8eca3a6 ??? 🤷‍♂️

Hmm... if #444 (comment)

Maybe he works for us as a linter 🤣

🙄 Then I wish to use it as a CLI...

@kachick kachick changed the title 🔥 👿 🐴 👮‍♂️ Attempt to prevent false positive detections by Windows Defender Mar 7, 2024
@kachick kachick marked this pull request as ready for review March 7, 2024 17:13
@kachick kachick merged commit 9d8ba9f into main Mar 7, 2024
9 checks passed
@kachick kachick deleted the rebel-for-ms-cop branch March 7, 2024 17:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Windows Defender false positive 🙄 detects my golang product as a Trojan Wacatac!ml😈
1 participant