-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus #8491
Comments
We do think this is very likely to be a false positive, but we are doing due diligence For reference we did submit the Windows installer to Virus Total: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57?nocache=1 It is worth noting that virus scanners are very flaky, and ZAP is a security tool which by nature "does bad things". |
Its worth noting that the alert is |
ZAP is a security tool. It “does bad things”. We know that virus scanners regularly flag the active scan rule add-ons, which is not surprising as they perform attacks. |
I just had a poke around at this, and appears in the build there is a file called "ascanrules-release-66.zap". It looks like this file might be causing the detection as it is flagged by Defender for https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FBitrep.B. This does look to be a FP. https://www.virustotal.com/gui/file/6c63ac358a5a183a757cb63ac13040e58eb3087aa9ca25bf40a02fab83f3736f |
"ascanrules-release-66.zap" is the active scan rule add-on: https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ - these are the rules which attack web apps. So its really not surprising that it gets flagged by AV tools 😁 |
It's worth mentioning that the detection does not apply to version 2.14.0. |
We did encounter similar things when 2.14 was first released. Though to a lesser extent. In the mean time both AV solutions and ZAP have changed/evolved. |
I've sent this to some contacts at MSFT so hopefully it can get routed to the right people. |
Thanks @benmcgarry |
@benmcgarry isnt that just saying that ZAP is from an unknown publisher, rather than its failed an AV check? |
I dont get that prompt on the 2.14 release which i'd assume would also trigger? Did any of the build process change for 2.15? |
Not radically, but there are bound to have been some changes |
2.14 might be "popular" enough that SmartScreen ignores it. |
It appears the detection has now been removed for this on latest definition versions. It no longer alerts as a PUA. @ksast does it still happen for you? |
Describe the bug
I tried to download the latest installer 2.15.0 via winget using the following command, but it triggered an alert coming from Microsoft Defender Antivirus:
"winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
The alert is named "'Packunwan' unwanted software was prevented".
Maybe the 2.15.0 package of ZAP is malicious.
The same alert is triggered when downloading directly from the ZAP website:
https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2_15_0_windows.exe
File hash (sha256): 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
This could be a potential supply chain attack where a malicious file is distributed via a public package manager (i.e. winget).
Steps to reproduce the behavior
Try to execute the command from the description on a client that is protected by Microsoft Defender Antivirus.
Expected behavior
Download and install a safe package.
Software versions
2.15.0
Screenshots
No response
Errors from the zap.log file
n/A
Additional context
Please also see microsoft/winget-pkgs#153873
Would you like to help fix this issue?
The text was updated successfully, but these errors were encountered: