topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 8:06 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: fSekrit 1.40 quarantined by Windows 10  (Read 12826 times)

brotherS

  • Master of Good Ideas
  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 2,260
    • View Profile
    • Donate to Member
fSekrit 1.40 quarantined by Windows 10
« on: November 10, 2020, 06:05 AM »
fSekrit 1.40 was just quarantined by Windows, as Trojan:Win32/Wacatac.C!ml.

This probably is a false positive, this happened before, but is there anything left to do (other than to unquarantine it manually)?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #1 on: November 10, 2020, 09:57 AM »
Report it, I guess?

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #2 on: November 10, 2020, 11:40 AM »
Hi, just a quick message to say I've seen your post!

For what it's worth: my own local copy of fSekrit isn't flagged (Win10 19041.572, and recent Defender definitions, (I hope)). I have to head off the see some friends and running a bit late, but will hopefully have time to look at this tomorrow!
- carpe noctem

brotherS

  • Master of Good Ideas
  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 2,260
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #3 on: November 10, 2020, 02:15 PM »
Report it, I guess?
Since the file contains personal information I'd rather not send it to Microsoft.  8)

my own local copy of fSekrit isn't flagged (Win10 19041.572, and recent Defender definitions, (I hope))
Interesting... Win10 19041.572 here too. Maybe it somehow depends on the file size if Windows detects it as a trojan? Weird...

4wd

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 5,641
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #4 on: November 10, 2020, 03:01 PM »
Caution: Theory Ahead

Maybe it's just that the encrypted contents of the file now match the file pattern of Trojan:Win32/Wacatac.C!ml and rearranging the order of the information would 'fix' the problem?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #5 on: November 10, 2020, 06:55 PM »
Report it, I guess?
Since the file contains personal information I'd rather not send it to Microsoft.  8)


When I reported to get it unflagged by Symantec, I sent them fsekrit, explained what it does and that the flagged exe was created by this software.  They unflagged it, and I haven't had any problems since.

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #6 on: November 11, 2020, 03:03 AM »
Before heading off to work (yep, after 6+ months of f'ing lockdown, we've been back to an office for a couple of months now!):

Does this also happen with a freshly downloaded copy of fSekrit, or only the one with your encrypted data? If it's the latter, 4wd has a point... and somebody needs to get their shit together and do more precise signatures
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #7 on: November 11, 2020, 05:40 AM »
Not sure if current issue, but I was having the same issue awhile back with the compressed version. With or without contents made no difference, but the compressed version got ate immediately. I finally compiled a fresh uncompressed copy, and haven't had an issue since.

Seems like anything packed with UPX makes AV go squirrel shit.

Just a thought..

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #8 on: November 11, 2020, 06:11 AM »
Seems like anything packed with UPX makes AV go squirrel shit.

This.

There isn't such a need for it these days anyway.
vi vi vi - editor of the beast

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #9 on: November 11, 2020, 04:16 PM »
Not sure if current issue, but I was having the same issue awhile back with the compressed version. With or without contents made no difference, but the compressed version got ate immediately. I finally compiled a fresh uncompressed copy, and haven't had an issue since.

Seems like anything packed with UPX makes AV go squirrel shit.

Just a thought..

Do you have a copy of that?

Also submitted reteam.org as a FP.  Malwarebytes blocks it.
« Last Edit: November 11, 2020, 04:29 PM by wraith808 »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #10 on: November 12, 2020, 05:41 AM »
Do you have a copy of that?

I should... The question is where?

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #11 on: November 12, 2020, 11:33 AM »
Seems like anything packed with UPX makes AV go squirrel shit.
Sigh.

fSekrit uses PECompact and not UPX, but same same :)

I did ponder a bit whether to continue using executable compression – one of the points of fSekrit is to be tiny, but the savings might not be worth it compared to hassle from shitty AV software... And the 1.40 exe would still be < 100kb without compression.
- carpe noctem

brotherS

  • Master of Good Ideas
  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 2,260
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #12 on: November 12, 2020, 11:51 AM »
Caution: Theory Ahead

Maybe it's just that the encrypted contents of the file now match the file pattern of Trojan:Win32/Wacatac.C!ml and rearranging the order of the information would 'fix' the problem?
I've already excluded the fSekrit folder from AV checks ... 8) but ...

Seems like anything packed with UPX makes AV go squirrel shit.
Sigh.

fSekrit uses PECompact and not UPX, but same same :)

I did ponder a bit whether to continue using executable compression – one of the points of fSekrit is to be tiny, but the savings might not be worth it compared to hassle from shitty AV software... And the 1.40 exe would still be < 100kb without compression.
...maybe a 1.41 release would help, where the only change would be "now without compression, with greetings to AV software"?  :D

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #13 on: November 12, 2020, 12:28 PM »
...maybe a 1.41 release would help, where the only change would be "now without compression, with greetings to AV software"?

Agreed!  I could compile it myself, but I'm too lazy  ;D

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #14 on: November 12, 2020, 06:40 PM »
So, to build an uncompressed version of fSekrit 1.x that's similar to the released version...

I think I still have the vc2003toolkit installer somewhere, which will hopefully work on Win10... Iirc that also includes the header files and import libraries.
And then there's the issue of using SCons for building – if I can still find a matching version of Python and the SCons distribution that'll work.

This is yet another occasion I'm embarrassed work on 2.x got stranded  :-[
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #15 on: November 13, 2020, 05:47 AM »
FWIW it looks like it compiled fine for me with MSVC 2013.

I don't have a copy of the Unicode version compiled, but I could try throwing something together this weekend if that's ok with f0dder?

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #16 on: November 13, 2020, 06:06 AM »
I did ponder a bit whether to continue using executable compression – one of the points of fSekrit is to be tiny, but the savings might not be worth it compared to hassle from shitty AV software... And the 1.40 exe would still be < 100kb without compression.
Tiny has a different meaning these days. It does not need to fit on a 3.5" floppy...
vi vi vi - editor of the beast

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #17 on: November 13, 2020, 07:11 AM »
Okay, correction: the regular version compiles ok on MSVS 2013, the Unicode version pitches a fit about a couple of type conversion.

I'm at work trying to peak at this quick... (eek!) ...I've got a copy of MSVS 2005 installed at home it may like a bit better.

I have to go work now (ick..).

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #18 on: November 14, 2020, 08:41 AM »
Okay, apparently I'm an idiot... I figured out how to get the Unicode version to compile (use the other function), but it doesn't run … Just does a silent exit on load. I should probable mention at this point, that I haven't even been in MSVS (or anything else) in about 4 years … So I'm rusty as hell.

Note: I did add a line to the about dialog, that says: This build compiled by Stoic Joker - So don't blame f0dder if it breaks!

Freshly compiled, non compressed, non Unicode, v1.40 attached. Warranty implied only by DOYC - e.g. There ain't one - Savvy?.

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #19 on: November 14, 2020, 11:54 AM »
Thanks a lot, Stoic Joker!

brotherS: it would be nice if you could check if Windows Defender moans about a fresh 1.40 download from the dcmembers site, as well as SJ's uncompressed build :)
- carpe noctem

brotherS

  • Master of Good Ideas
  • Honorary Member
  • Joined in 2005
  • **
  • Posts: 2,260
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #20 on: November 14, 2020, 01:49 PM »
brotherS: it would be nice if you could check if Windows Defender moans about a fresh 1.40 download from the dcmembers site, as well as SJ's uncompressed build :)
I just downloaded and ran both, no objections from Windows so far...

f0dder

  • Moderator
  • Joined in 2005
  • *****
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #21 on: November 15, 2020, 07:41 AM »
I just downloaded and ran both, no objections from Windows so far...
Hm, so it doesn't sound like it's the compression itself that Defender is complaining about, at least that's something (and consistent with Defender not complaining for me either).

Sounds like 4wd was right:
Maybe it's just that the encrypted contents of the file now match the file pattern of Trojan:Win32/Wacatac.C!ml
Not much I can do about badly chosen, too short patterns in AV software matching encrypted data :(
- carpe noctem

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #22 on: November 16, 2020, 05:46 AM »
Back when I was fighting with Windows Defender eating it constantly, it was always when I hit save changes, and it bounced in and out of Temp that it got blown away. This behavior stopped when I did the original uncompressed version (that I now can't find) … But I'm not sure - I'm old, I slept since then, and I drink a bit.. :D

Granted that was a few years ago - so not the same thing - but a possible indicator of where the problem AV stuff is having could be.

Vitaliy

  • Participant
  • Joined in 2021
  • *
  • default avatar
  • Posts: 1
    • View Profile
    • Donate to Member
Re: fSekrit 1.40 quarantined by Windows 10
« Reply #23 on: January 07, 2021, 01:14 PM »
hello!

Using fSekrit for years. Great idea and implementation!

Unfortunately faced with issue recently and I'm happy to found this forum and know that author of tool still replying on questions! (hopefully supporting somehow the tool).

So, my issue:
I have McAfee Antivirus (AV) on corporate laptop (can't uninstall/disable/re-configure it).
There is Adaptive Threat Protection feature/functionality there.
 
Sometimes when I enter/update file with new text (logins, passwords etc.) and save it - AV recognize the file as "Malware Detected" with threat = "Real Protect-LS!92f0ae1ffdf4", Trojan and REMOVES it!

It looks like some text in file after encryption & compressions is recognized as Trojan. If I change new entries to something more longer/simplier - it works fine. Now I always worried to enter new text & save - file can be removed by AV.

Even when I restore file and try to open it - it also cached by AV and removed ((. So the only way to continue using the file in RO mode - change the file on another PC - add some text there. But it difficult to understand what kind of text/how to changes to avoid it detection as Trojan.

Any ideas how to prevent this?