ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus #8491
Comments
|
We do think this is very likely to be a false positive, but we are doing due diligence For reference we did submit the Windows installer to Virus Total: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57?nocache=1 It is worth noting that virus scanners are very flaky, and ZAP is a security tool which by nature "does bad things". |
|
Its worth noting that the alert is |
|
Submitted directly to Windows Defender online:
|
|
ZAP is a security tool. It “does bad things”. We know that virus scanners regularly flag the active scan rule add-ons, which is not surprising as they perform attacks. |
|
I just had a poke around at this, and appears in the build there is a file called "ascanrules-release-66.zap". It looks like this file might be causing the detection as it is flagged by Defender for https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FBitrep.B. This does look to be a FP. https://www.virustotal.com/gui/file/6c63ac358a5a183a757cb63ac13040e58eb3087aa9ca25bf40a02fab83f3736f |
|
"ascanrules-release-66.zap" is the active scan rule add-on: https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ - these are the rules which attack web apps. So its really not surprising that it gets flagged by AV tools 😁 |
|
It's worth mentioning that the detection does not apply to version 2.14.0. |
|
We did encounter similar things when 2.14 was first released. Though to a lesser extent. In the mean time both AV solutions and ZAP have changed/evolved. |
|
I've sent this to some contacts at MSFT so hopefully it can get routed to the right people. |
|
Thanks @benmcgarry |
|
Appears Smart Screen is now flagging on it: |
|
@benmcgarry isnt that just saying that ZAP is from an unknown publisher, rather than its failed an AV check? |
|
I dont get that prompt on the 2.14 release which i'd assume would also trigger? Did any of the build process change for 2.15? |
|
Not radically, but there are bound to have been some changes |
|
2.14 might be "popular" enough that SmartScreen ignores it. |
|
It appears the detection has now been removed for this on latest definition versions. It no longer alerts as a PUA. @ksast does it still happen for you? |
Describe the bug
I tried to download the latest installer 2.15.0 via winget using the following command, but it triggered an alert coming from Microsoft Defender Antivirus:
"winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.logThe alert is named "'Packunwan' unwanted software was prevented".
Maybe the 2.15.0 package of ZAP is malicious.
The same alert is triggered when downloading directly from the ZAP website:
https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2_15_0_windows.exe
File hash (sha256): 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
This could be a potential supply chain attack where a malicious file is distributed via a public package manager (i.e. winget).
Steps to reproduce the behavior
Try to execute the command from the description on a client that is protected by Microsoft Defender Antivirus.
Expected behavior
Download and install a safe package.
Software versions
2.15.0
Screenshots
No response
Errors from the zap.log file
n/A
Additional context
Please also see microsoft/winget-pkgs#153873
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: