Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Microsoft Defender detects Trojan:Linux/Multiverze: on ISO [solved]
Microsoft Defender detects Trojan:Linux/Multiverze: on ISO [solved]
I wanted to try Debian 11 with LXDE on an old PC.
I downloaded the nonfree ISO first, and I analyzed it with Microsoft Defender, which identified it as a serious threat.
Then I have downloaded the version that does not include nonfree, and I analyzed it, and it was identified as a threat as well.
I think it must be a Microsoft Defender confusion, but when in doubt I thought it would be better to ask.
Do you think there may be a Trojan in the ISOs that has gone unnoticed?
Thanks.
Image: Files:
debian-live-11.0.0-i386-lxde+nonfree
debian-live-11.0.0-i386-lxde
Trojan:Linux/Multiverze:
https://www.microsoft.com/en-us/wdsi/th ... 2147783419
I downloaded the nonfree ISO first, and I analyzed it with Microsoft Defender, which identified it as a serious threat.
Then I have downloaded the version that does not include nonfree, and I analyzed it, and it was identified as a threat as well.
I think it must be a Microsoft Defender confusion, but when in doubt I thought it would be better to ask.
Do you think there may be a Trojan in the ISOs that has gone unnoticed?
Thanks.
Image: Files:
debian-live-11.0.0-i386-lxde+nonfree
debian-live-11.0.0-i386-lxde
Trojan:Linux/Multiverze:
https://www.microsoft.com/en-us/wdsi/th ... 2147783419
Last edited by newuser on 2022-05-30 18:34, edited 1 time in total.
- FreewheelinFrank
- Global Moderator
- Posts: 2135
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 233 times
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
It is undoubtedly what is known as a false positive, where an anti virus program detects an innocent piece of code as malware. You can submit the file to Microsoft for analysis. They will tell you if it is indeed a false positive. You should do this so that Microsoft can update its detections and other users will experience the same worry.
https://www.microsoft.com/en-us/wdsi/filesubmission
You can also submit the files to VirusTotal for analysis by multiple anti virus engines to see which anti virus programs detect the files as malware. In the case of a false positive it is usually one out of many.
https://www.virustotal.com/gui/home/upload
https://www.microsoft.com/en-us/wdsi/filesubmission
You can also submit the files to VirusTotal for analysis by multiple anti virus engines to see which anti virus programs detect the files as malware. In the case of a false positive it is usually one out of many.
https://www.virustotal.com/gui/home/upload
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
Yeah... follow the yellow brick road Dorothy... MSDef identifies any fs with viable hardware and/or network detection not signed by MS or its given OEM partner as a threat, even extending as far as legally obtained firmware. They will laugh at you for submitting a Debian 11 ISO, and reply "don't do that". Jeez Frank.
TC
TC
You can't believe your eyes if your imagination is out of focus.
- FreewheelinFrank
- Global Moderator
- Posts: 2135
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 233 times
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
Challenge accepted.trinidad wrote: ↑2021-08-27 18:21 Yeah... follow the yellow brick road Dorothy... MSDef identifies any fs with viable hardware and/or network detection not signed by MS or its given OEM partner as a threat, even extending as far as legally obtained firmware. They will laugh at you for submitting a Debian 11 ISO, and reply "don't do that". Jeez Frank.
TC
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
I don't use Windows but surely the downloaded image can be verified? Do a search for, for example: "Verify a Checksum On Windows."
For example: how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with
For example: how-to-verify-a-downloaded-linux-iso-file-wasnt-tampered-with
DebianStable
Code: Select all
$ vrms
No non-free or contrib packages installed on debian! rms would be proud.
- FreewheelinFrank
- Global Moderator
- Posts: 2135
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 233 times
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
I have downloaded the ISO and uploaded the file (livevmlinuz-5.10.0-8-686) to VirusTotal. (I get to play with LXDE later too!)
It is detected as malware by 18 security vendors, mostly using generic or heuristic detection (which says that it resembles or behaves like malware in some way). Microsoft calls it a Trojan. This is not to say it is likely to actually be a Trojan, because heuristic/generic detections are notoriously prone to false positives (and Microsoft's detection is almost certainly wrong).
https://www.virustotal.com/gui/file/91e ... /detection
I have submitted the file to Microsoft for analysis. We will see what they say.
I will also submit the file to the other vendors that have a false positive submission system and see what they say.
It is detected as malware by 18 security vendors, mostly using generic or heuristic detection (which says that it resembles or behaves like malware in some way). Microsoft calls it a Trojan. This is not to say it is likely to actually be a Trojan, because heuristic/generic detections are notoriously prone to false positives (and Microsoft's detection is almost certainly wrong).
https://www.virustotal.com/gui/file/91e ... /detection
I have submitted the file to Microsoft for analysis. We will see what they say.
I will also submit the file to the other vendors that have a false positive submission system and see what they say.
- FreewheelinFrank
- Global Moderator
- Posts: 2135
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 233 times
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
Microsoft no longer detects the file as malware. Detections at VirusTotal now down to 14. Ad-Aware, cynet and Bitdefender also seem to be on the ball, although Bitdefender Theta (machine learning based, apparently) still detects the file.
- FreewheelinFrank
- Global Moderator
- Posts: 2135
- Joined: 2010-06-07 16:59
- Has thanked: 38 times
- Been thanked: 233 times
Re: Microsoft Defender detects Trojan:Linux/Multiverze: on ISO
Down to 7 already. Of the big names, Trend Micro gets the booby prize for tardiness.