Author Topic: Trojan:Win32/Critet.BS - False positive from Defender?  (Read 55438 times)

0 Members and 1 Guest are viewing this topic.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #25 on: March 21, 2018, 02:27:38 am »
I've removed your duplicate post.

There has always been the doubt that Kaspersky could be spying and even though there are denials from Kaspersky, I would think that if Putin ordered them to do it, there would be very little they could do to refuse given the power he has.

I don't have Kaspersky installed - I use Norton Security but have found the Kaspersky Rescue Disk very helpful in the past and while it scans the files for infections, it also seems to have some healing attributes.

As for MS and WR, it is my understanding from jpm's post that he or Shane will be contacting MS about this.

While it could be an inconvenience, you could do what Marcus5664 plans to do and that is to download and run the program in Safe Mode with Networking if/when you need to use it - it isn't or shouldn't be a program that you need to run regularly.

AFAIK it is a life time licence and not annual, so it won't expire.

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #26 on: March 23, 2018, 08:19:41 am »
OK all you tweaking virus experts, I think I'm back in the right place now. I hit the wrong button last time and double posted. Sorry !

We can all carry on about all the virus protection programs giving out false positives, but I'd like Shane or jpm to ponder this :

Why does v4.0.15 get flagged for the Critet virus but v4.0.14 DOES NOT  ??  Something ain't right

And to Boggin, Major Geeks should have v4.0.14. It works just fine.

fab

We do not know exactly why. It could be something as simple as pattern matching. I remember a friend had his credit card number detected as a virus because part of the numbers matched the hash on a known virus - true story. Heck Malwarebytes detected my personal photography as a virus a couple months back. Explain that one.

In this case a LOT of files were detected from a LOT of companies. All we know is that they all use VB -- so it had something to do with that.  But exactly what, no idea.  Our product is 100% clean. They were wrong and they aren;t about to tell us why they were wrong for all the reasons you would suspect. It certianly isn't something we can prepare for either. Someone at MS made a mistake. They fixed it. But that is exactly how the antivirus world works.  Happens ALL the time.

It is better to have an AV than nothing - but really it is a lot of security theater.




Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #27 on: March 23, 2018, 09:59:55 am »
So have MS fixed this now ?

Offline fabrikator

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 33
  • Location: Southern USA
  • Karma: 1
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #28 on: March 23, 2018, 01:53:17 pm »
I have been following this thread ever since v4.0.15 was released and have posted to it several times. I run Windows 7 PRO with Microsoft

Security Essentials as my virus protector. I think we can all agree that this is a Microsoft Security Essentials error, however after about a

dozen MSSE virus updates, v4.0.15 is still being flagged with the virus. Here are my latest questions :

     1.  Has Tweaking.com contacted Microsoft about this issue, and id so, is there a fix ?

     2   Why is it that only v4.0.15 is flagged and NOT v4.0.14 ? What is different ?

Thanks,

fab

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #29 on: March 24, 2018, 10:34:18 am »
Yeah - we contacted them about 3 seconds after we found out. I believe it took them 6 hours to responded that it was fixed. There was never anything to do with anything on a user end. It was their mistake on matching.

No they never told us why, but it wasn't just our program it was a number of them around the web.

I would love it if they told us why - but it was most likely a coding error on their end and if they admitted it they would open up to legal issues.  Especially since what I have been able to divine is the programs that were flagged all used api calls to VB -- which is Microsoft's programming language. So essentially Defender flagged VB.  So whoever or however they made the error - it will never come out of Redmond. :)

Each time we release the exe is recompiled. So the 4.0.14 would have a completely different hash and "look" than 4.0.15.  When we release 4.0.16 odds are something will flag it as a false positive after release. It may not be defender, but it will be something. This shit happens all the time with every one of the antivirus apps - it is the bain of the software authors existence. It's annoying but part of how the security industry works.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #30 on: March 24, 2018, 10:37:41 am »
Well fabrikator was still getting the error yesterday with MSE - see post before yours.

Offline fabrikator

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 33
  • Location: Southern USA
  • Karma: 1
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #31 on: March 24, 2018, 01:09:58 pm »
And I am still getting the Virus error today.

Let me clarify, I am talking about Microsoft Security Essentials .... NOT Windows Defender.

I just now, 2:53 P.M. CDT, 3-24-18, downloaded the latest Microsoft Security Essentials virus update v1.263.1070.0, and it is still flagging

v4.0.15 with the Trojan Win32/Critet.BS virus, so Microsoft has obviously NOT fixed anything !

Just letting you guys know what is still going on.

fab

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #32 on: March 24, 2018, 04:45:30 pm »
Dang. It is indeed cleared by MS but via virus total and their own site ( see attached)
https://www.virustotal.com/#/file/55d0bd20f9f8b28e6385bc530c25fdd25f094dc32b4834ef3f33d348a6cb8bfc/detection

Defender and essential use the same definitions.  I'll write and see what they think. Could be your didn't update?

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #33 on: March 24, 2018, 04:50:18 pm »
Just wrote in to let them know that defender is OK but essentials is still a problem.  We will see if that helps. They tend to be pretty quick/

Offline fabrikator

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 33
  • Location: Southern USA
  • Karma: 1
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #34 on: March 24, 2018, 06:05:51 pm »
Just updated to MSSE virus update v1.263.1075, 7:42 P.M. CDT.

A picture is worth a thousand words.

See Attachment

fab

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #35 on: March 25, 2018, 12:31:47 am »
I tried clearing MSE quarantine of the false trojan on Friday, removed the ignore rule that I'd added, uninstalled WR 4.0.15 and attempted to reinstall but MSE still flagged it as a trojan, so had to tell MSE to ignore it again. I'd already checked VirusTotal to see that the file was safe. I installed the very latest MSE updates before attempting reinstallation. I guess I'll have to wait for the next iteration of Windows Repair and see what happens but in the interim I'm using it on the assurance that it's a false positive. I'm using Windows 7 SP 1
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #36 on: March 25, 2018, 04:03:54 pm »
I literally just got another notification from them saying it was cleared. I reported it on Essentials as well.  Maybe their essential definitions run behind or they missed it the first time. But it should clear up soon.

Offline fabrikator

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 33
  • Location: Southern USA
  • Karma: 1
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #37 on: March 25, 2018, 05:07:34 pm »
With latest MSSE virus update v1.263.1128.0, 6:40 P.M. CDT, 3-25-18.

Still being flagged. Somebody, probably Microsoft, is lying to everybody.

See attachment

fab

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #38 on: March 26, 2018, 01:23:32 am »
I realise it's a false positive but MSE is still rejecting WR 4.0.15 even after updating the definitions this morning. I'd previously told MSE to ignore the false positive and installed 4.0.15 anyway but uninstalled WR this morning, cleared all references to it in MSE and tried a new install but MSE still stopped it until I'd asked it to ignore the false positive again.

MSE
Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.14600.4
Antivirus definition: 1.263.1150.0
Antispyware definition: 1.263.1150.0
Network Inspection System Engine Version: 2.1.14600.4
Network Inspection System Definition Version: 119.0.0.0

Windows 7 Home Premium SP1 64x

Malwarebytes Premium 3.4.4
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #39 on: March 26, 2018, 03:39:15 pm »
This is strange because the submission system says it is clean.... and it is.

Clearly they are having some sort of definition issue. I will try and get some clarity.

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #40 on: March 26, 2018, 10:45:39 pm »
Thanks, JPM -  it's odd, I agree. Malwarebytes Premium doesn't have a problem with it, either. I'm surprised that there aren't more posts about this on this forum, which I would have thought there would be if it was a widespread problem. Any way it could be caused by specific factors on the affected PCs? 
« Last Edit: March 26, 2018, 10:57:04 pm by Still_Game, Reason: Additions »
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline StephanP

  • Newbie
  • *
  • Join Date: Apr 2015
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #41 on: March 27, 2018, 05:13:15 am »
... I'm surprised that there aren't more posts about this on this forum, which I would have thought there would be if it was a widespread problem.

I'm on Windows 10 (1709 with latest updates) and the standard Windows Defender flags the main executable as a positive.

Possibly related to this thread: Safe Mode = No Go , I experienced the following just this morning:
  • I wanted to check something with Windows Repair, so I restarted the PC in Safe Mode
  • In Safe mode, the Windows Repair Systray tool was active, but starting the main tool didn't do anything
  • After some investigation, I realized that the main executable was missing from the installation folder
  • During re-installation, it became clear to me that Defender removes it, leaving behind a mamed Windows Repair

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #42 on: March 27, 2018, 09:14:53 am »
MS have supposed to have fixed it for WD.

You can still download the program and run it in Safe Mode with Networking, bearing in mind that from Win 8/8.1 Windows disables wireless in that mode, although it can be re-enabled.

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #43 on: March 27, 2018, 09:17:50 am »
I JUST updated to the latest 1.263.1584.0 def from Microsoft  and it is showing as clean. Finally!

Our best guess -- and it is just a guess but a guess from experience - is that there was something wrong with the defs over the weekend and they fixed it. Then it looks like they rolled it back - then fixed it again. Probabaly having to fix the fix. But, now it looks fixed. ;)

Problem is not everyone updates at the same time and it can take a few days to roll out.

Offline fabrikator

  • Newbie
  • *
  • Join Date: Apr 2014
  • Posts: 33
  • Location: Southern USA
  • Karma: 1
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #44 on: March 27, 2018, 11:50:01 am »
OK, jpm 

I tried v4.0.1.5 again with MSSE update v1.263.1584.0 AND newer v1.263.1587.0 and I am STILL getting flagged.

I'm done posting screen shots, you will just have to take my word for it.

SO ... let us see if we are on the same page  ... it does make a difference.

I use Windows 7 PRO with Microsoft Security Essentials ... NOT Windows Defender

What are YOU using to get an "all clear"  ??

Please reply

Thanks,

fab

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #45 on: March 27, 2018, 12:53:33 pm »
Yeah - I wrote them separately on essentials.  Seems that one takes longer

Offline StephanP

  • Newbie
  • *
  • Join Date: Apr 2015
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #46 on: March 27, 2018, 11:17:31 pm »
  • Updated Defender databases this morning
  • Re-downloaded 4.0.15
  • Download gets past Defender
  • Installer does not
  • Error message (see attachment)
  • Main executable Repair_Windos.exe is missing from in installation folder

I managed to place Repair_Windows.exe on Defender's exceptions list.
Windows Repair is now fully functional again.
« Last Edit: March 27, 2018, 11:45:07 pm by StephanP »

Offline jpm

  • Administrator
  • Full Member
  • *****
  • Join Date: Mar 2015
  • Posts: 185
  • Karma: 36
    • View Profile
    • Tweaking.com
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #47 on: March 28, 2018, 08:38:40 am »
arrrrgh

This is becoming an issue for a number of people.
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/false-positive-by-windows-defender-win32critetbs/13dc2ef4-2b24-40ca-87d4-74f35b0b79bf
https://github.com/processing/processing/issues/5442
https://www.reddit.com/r/KerbalSpaceProgram/comments/84mcqc/windows_defender_finding_trojan_in_ksp_files/
https://github.com/shadowsocks/shadowsocks-windows/issues/1746
https://github.com/fsprojects/Paket/issues/3121
https://www.onehouronelife.com/forums/viewtopic.php?pid=3521
There are a lot more.


All the authors are getting the same issue. The file comes up clean in the submission system, but is dectect on the home user. It effects both VB and Unity game programing languages.  It sems that it is a heuristic issue with defender but it looks like they are having an issue dealing with it.

Maybe if some of you all submitt the false postive as users?

https://www.microsoft.com/en-us/wdsi/filesubmission






Offline StephanP

  • Newbie
  • *
  • Join Date: Apr 2015
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #48 on: March 28, 2018, 08:54:59 am »
Maybe if some of you all submitt the false postive as users?
https://www.microsoft.com/en-us/wdsi/filesubmission

Going out now

Offline StephanP

  • Newbie
  • *
  • Join Date: Apr 2015
  • Posts: 13
  • Karma: 0
    • View Profile
Re: Trojan:Win32/Critet.BS - False positive from Defender?
« Reply #49 on: March 28, 2018, 09:00:00 am »
O oh, it says:
  • Not malware   No malware detected