Known issue: Windows Defender flagging products as Trojans

Options
Hayo_NI
Hayo_NI Product Team Posts: 290 mod
edited March 2023 in Native Access

Hi all, PM of Native Access here.

Just wanted to let you all know we're aware that Windows Defender is deleting installers and flagging it as a Trojan, and are investigating the matter. We'll keep you posted on what we find and what actions we're taking.

To start with, we've assessed that many products are affected, but not all users experience the same issues with these products. Manually installing the products is working fine, but running the installers from Native Access is causing problems (both Native Access 1 and Native Access 2). We're currently looking into the tech that might be the cause, and are looking to see if there's anything we released that might've caused the installers to suddenly be flagged by the Windows Defender.

Please bear with us while we resolve the matter. In the meantime, we recommend you reach out to our support team here so we can help you get started. Apologies for the inconvenience.

Best Answer

«134

Answers

  • infoomse
    infoomse Member Posts: 6 Member
    Options

    So from that I understand that you are not shure if this is a virus or not!

  • Andrew Koenig
    Andrew Koenig Member Posts: 12 Member
    Options

    It sounds like even if there is a malware problem in the Native Access installation process, it is possible to install the products directly, bypassing Native Access, without raising any red flags with Windows Defender.

  • The Sarge
    The Sarge Member Posts: 125 Helper
    Options

    @Hayo_NI

    thanks for info, here an info you & your tech-team can need:

    it´s NOT an pure Native-Access-Issue, because the same alert is within the IK-Product-Manger from IKM-Italy (and I don´t think that you´ve given them the NA-Code ;) )

    there is a little chance, that you and they got the same attack, but for logical would be an MS-problem

    regards from Germany

    The Sarge!

  • Hayo_NI
    Hayo_NI Product Team Posts: 290 mod
    Options

    Thanks @The Sarge!

    @Andrew Koenig in the meantime, yes please use the link above and customer support will help you bypass Native Access if youre experiencing any issues.

    @infoomse We aren't done diagnosing everything but we've scanned our product installers and we're convinced there's no malware or virus in them. Seems like it's a Windows thing but we still have some angles we're investigating.

    We're also trying to find a good workaround but the ones we found are inconvenient thus far.

  • zzz00m
    zzz00m Member Posts: 15 Member
    Options

    I'm not even seeing the latest Massive X 1.4.3 update here in Native Access 1, on Windows 10.

    Do I need to update to Native Access 2 to get current updates?

  • LostInFoundation
    LostInFoundation Member Posts: 4,311 Expert
    Options

    @Hayo_NI

    THANK YOU for taking the time to give us some information/instructions.

    Some more of this interactions more frequently and we could even start to think to be followed by a real support

  • The Sarge
    The Sarge Member Posts: 125 Helper
    edited March 2023
    Options
  • Terrafinale
    Terrafinale Member Posts: 1 Newcomer
    Options

    I had the "failed to install" error due to defender flagging installers as malware yesterday. Stopped the installation. I tried today to install and everything went smoothly.

    Defender is no longer flagging. Time to jam!

    Thank you

  • nico5
    nico5 Member Posts: 49 Helper
    Options

    This is the kind of post I've been waiting for, because

    "... we've scanned our product installers and we're convinced there's no malware or virus in them"

    • explains why you haven't paused the Native Access updates distribution

    "Seems like it's a Windows thing but we still have some angles we're investigating."

    • explains why you haven't simply called it a false positive, and why you've not yet said what made it happen.

    "We're also trying to find a good workaround but the ones we found are inconvenient thus far."

    • explains why there's no official solution so far.

    So thank you for this informative post! 👍️


    And a small additional note:

    Since Defender actually flags the product specific installer packages, and not Native Access, many individuals (including me) have been searching and posting in the appropriate product specific sub-forum/category, rather than the NATIVE ACCESS category.

    For example in my case, I clicked the Install All button, and the installers for Komplete Kontrol and Massive X completed successfully, but then the Maschine 2 installer threw the error. So my natural instinct did not associate the issue with something common to Native Access, but with something rather specific to Maschine. And so I only looked in the Maschine forum without realizing that this issue was also happening on other installers for some other users.

    So to make life easier for your users, it might be great, if you made this thread (and relevant followups) also visible in the each of the affected individual product categories. Or if that's not possible, maybe have a sticky post pointing to this thread in each relevant product category.

    Thanks again!

  • Hayo_NI
    Hayo_NI Product Team Posts: 290 mod
    Options

    Thanks @nico5. We're starting to narrow it down to how we build our installers, but aren't quite done investigating on a solution. We have no reason to believe any of the installers are malicious but please do keep making use of the support link if you're hesitant to allow the installers to go through. Otherwise, simply "Allow" them in the Windows Defender and try again. We'll link the other community sections to this post in the morning.

    For those asking about Massive X updates, I'm seeing them in Native Access 2, so try upgrading. If you're having issues there, reach out to support as well.

    Thank you all for your patience!

  • nico5
    nico5 Member Posts: 49 Helper
    edited March 2023
    Options

    Thanks for your kind reply @Hayo_NI

    Just as an update to how things have evolved on my particular system - AMD Ryzen 7900x, Win 10H2 (OS Build Build 19045.2673):

    • up to and including yesterday, Microsoft Defender flagged and quarantined the Machine 2 installation via Native Access, and Native Access' installation failed
    • today (maybe after another Defender definitions update - or just by chance), Defender still flagged and quarantined the installation zip file, but interestingly enough, the installation of the Maschine 2 update went ahead and apparently succeeded. (This is consistent with one or two other users' experience I've read over the last couple of days). One explanation might be that on a modern multi-core and multi-thread system there's a racing condition between the anti-virus and the de-compression and sometimes one happens first and sometimes the other. This could make a difference if the .zip file does trigger Microsoft Defender's flagging, while the extracted .exe file does not. -- So I continued to confirm or deny that theory:
    • I retrieved the quarantined zip file and extracted it via 7zip to a separate folder.
    • Then I ran the extracted Maschine 2 2.17.0 Setup PC.exe through a manual Microsoft Defender scan. It returned: 0 threats found and 3368 files scanned. -- ahhh - the installer does look clean!
    • And just while I was at it, I also decompressed the .exe file (also using 7zip) and initiated yet another Microsoft Defender scan on the resulting folder. It returned 0 threats found and 2780 files scanned. Fewer files presumably because I have a number of extensions like .png files excluded from scanning. - it confirms that all of the now fully decompress installer files are deemed clean.
    • Then I compressed the previously decompressed .exe file again (using 7zip "normal" compression) and initiated a Microsoft Defender scan on the resulting zip file. It returned 0 threats found and 3369 files scanned. Presumably the extra file is the zip file itself. -- this seems to further confirm that the problem might be a the final compression to zip with very specific parameters causes the flagging, while other compression parameters do not.
    • Then I compressed the .exe file again, but with the regular Windows compression via right clicking on the file and initiated a Microsoft Defender scan on the resulting zip file. It also returned 0 threats found and 3369 files scanned. Again, presumably the extra file is the zip file itself. -- More strengthening of evidence that it's just the parameters of the final compression algorithm ends up generating something in the final .zip file that trigger Defender's flagging.

    So to me it looks like something the the final compression to zip creates a string that sets off Defender's alert. But the .exe and the files it includes are deemed entirely clean. -- So now I'm satisfied enough that indeed this is a false alarm by Microsoft Defender.

    Just as a final test, I ran another scan on my system after the successful install of the Maschine update and the scan came back entirely clean. -- So now I truly share your evaluation that the installer is just fine.

    Of course, this may all be already obvious to you and the technical team working on this.

    However, I still documented my findings and thinking here, since it may help other readers of this thread to come to their own conclusion or even run a similar sequence of tests on their own system.

    I generally try to explain how I came to a conclusion, rather than saying "everything is fine" or being silent for too long. I just think it makes it easier for readers to follow along and maintain trust.

  • MyStudioOne
    MyStudioOne Member Posts: 255 Pro
    Options

    Exact same issue installing latest version of Trimble Sketchup pro. Had to turn off Defender to install. Seems like a windows issue for sure...

  • zzz00m
    zzz00m Member Posts: 15 Member
    edited March 2023
    Options

    I found one file in my Windows Defender log and quarantine from last week. It had nothing to do with NI or Native Access, as it was a zip file containing drivers for my motherboard. It had been dormant on my hard drive for over two years. Somehow Windows Defender identified it as the same trojan and quarantined it.

    So this lines up with other observations that the recent Defender trojan alerts were hit or miss, and affected applications from other vendors as well.

    A precaution before running an executable file restored from quarantine, is to submit the file(s) to VirusTotal for analysis (650MB max file size). https://www.virustotal.com/gui/home/upload

    "VirusTotal inspects items with over 70 antivirus scanners and URL/domain blocklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal. VirusTotal offers a number of file submission methods, including the primary public web interface, desktop uploaders, browser extensions and a programmatic API. The web interface has the highest scanning priority among the publicly available submission methods."

  • [Deleted User]
    [Deleted User] Posts: 0 Newcomer
    edited March 2023
    Options
    The user and all related content has been deleted.
Back To Top