We had a customer support call today that their Delphi app wasn’t working. It was marked as
Trojan Bearfoos.A!ml - Look out for ml at the end of the description.
I assume the machine learning was as sophisticated as ‘calls web site to check for updates, no URL matching to actual trojan, made in Delphi, no other matching file size etc - bing bing virus’
The joy!
Symptoms are the executable will disappear and you’ll see an entry in the Windows Defender history log. No alerts will appear on screen at all.
Were the apps in question code-signed? If they are signed, then it’s absolute nonsense for Defender to just blindly assume any executable is a virus. In fact, as long as the code certificate is valid and unrevoked then that should be the first level of “probably not a virus” versus the utter stupidity of heuristic detection which is basically a useless panacea from Defender tantamount to an admission that virus and trojan writers are fighting a war in which the bad guys have the upper hand.
Just had Defender decide that a file written in 2018 was infected with Trojan:Win32/Wacatac.B!ml
‘Simply’ signing the file fixed the ‘problem’.
Although now I realised I’m not going to sleep tonight wondering if our certificate is going to get revoked due us being flagged as a ‘known spreader of viruses’.
As part of this fun I discovered a few ‘quirks’ of Defender
that if you ‘simply’, use ‘Allow on Device’ to get the app to work you are actually allowing the virus to run on your computer (i.e. perhaps creating a real exposure, if the real virus arrives in another exe)
There is another, sorry can’t ‘refind’ it now, way of adding an exclusion that actually only creates a 48 hour ish exclusion. It creates an explicit exclusion for the file/folder combo and it won’t appear in any defender settings. You can find it in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\TemporaryPaths but you won’t be able to delete anything in there yourself.
