Microsoft Windows Defender detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A

[alex-purple]

Microsoft Windows Defender 1.417.13.0 detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A

[nickcardwell]

What was the outcome on this? False Positive?

[Tuwase]

[RudiDeVos]

Virus total 6/64 security vendors flagged this file as malicious
UltraVNC is flagged as vnc, that indeed is a remote admin app that can be installed as unwanted
tool.

AliCloud
Backdoor[rat]:Win/UltraVNC.gen
DrWeb
Program.RemoteAdmin.952
Kaspersky
Not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen
Rising
Hacktool.UltraVNC!8.13A44 (CLOUD)
Zillya
Tool.UltraVNC.Win32.659
ZoneAlarm by Check Point
Not-a-virus:HEUR:RemoteAdmin.Win32.UltraVNC.gen
Acronis (Static ML)
Undetected
AhnLab-V3
Undetected
ALYac
Undetected
Antiy-AVL
Undetected
Arcabit
Undetected
Avast
Undetected
AVG
Undetected
Avira (no cloud)
Undetected
Baidu
Undetected
BitDefender
Undetected
BitDefenderTheta
Undetected
Bkav Pro
Undetected
ClamAV
Undetected
CMC
Undetected
CrowdStrike Falcon
Undetected
Cynet
Undetected
Emsisoft
Undetected
eScan
Undetected
ESET-NOD32
Undetected
Fortinet
Undetected
GData
Undetected
Google
Undetected
Gridinsoft (no cloud)
Undetected
Huorong
Undetected
Ikarus
Undetected
Jiangmin
Undetected
K7AntiVirus
Undetected
K7GW
Undetected
Kingsoft
Undetected
Lionic
Undetected
Malwarebytes
Undetected
MAX
Undetected
MaxSecure
Undetected
Microsoft
Undetected
NANO-Antivirus
Undetected
Panda
Undetected
QuickHeal
Undetected
Sangfor Engine Zero
Undetected
Skyhigh (SWG)
Undetected
Sophos
Undetected
SUPERAntiSpyware
Undetected
Symantec
Undetected
TACHYON
Undetected
TEHTRIS
Undetected
Tencent
Undetected
Trellix (ENS)
Undetected
Trellix (HX)
Undetected
TrendMicro
Undetected
TrendMicro-HouseCall
Undetected
Varist
Undetected
VBA32
Undetected
VIPRE
Undetected
VirIT
Undetected
ViRobot
Undetected
WithSecure
Undetected
Xcitium
Undetected
Yandex
Undetected
Zoner
Undetected

[RudiDeVos]

Microsoft Windows Defender 1.417.13.0 detect UltraVNC_1436_X64.msi with a Trojan:Win32/Vigorf.A
Retested with my local build and thaty's also flagged.
Code insite is identical as UltraVNC_1436_X64_Setup.exe or the X86 version that are not flagged
Let's hope they correct it, nothing we can do

[VersusBG]

Include digital certificate to the msi installation packet and submit it for malware scan as developer at: https://www.microsoft.com/en-us/wdsi/filesubmission

[RudiDeVos]

ultravnc_1436_x64.msi
Submission ID: a84a7d8c-1cf6-413a-b59f-27b6df86e060Status:
In progress
User Opinion: Incorrect detection
Analyst comments:
No analyst comment provided.

[RudiDeVos]

Re-uploaded msi files.
Signing require different parameters for msi files, re-uploaded with new signing parameters
Please verify if it pass now

[VersusBG]

I also submit the file and report it as false positive to MS. It's still In progress.

[RudiDeVos]

Does the new msi (new signing) still trigger the detection

[VersusBG]

It's not about of creating a new msi which will have different hash. It's about Microsoft not to mark the UltraVNC as Trojan:Win32/Vigorf.A but instead to trust your Certificate and mark UltraVNC as Remote Admin software like TeamViewer, AnyDesk, Dameware etc...) So they need to have UltraVNC hash marked in the Antivirus as legit remote admin/ remote support instead of trojan. In my latest submit they approve it and now it's allowed in the new antivirus database but this is only for the old hash.

Tree View ultravnc_1436_x64.msi
Not malware Not malware Cloud
Not malware Client No malware detected
No malware detected Online
1.417.340.0

[VersusBG]

https://uvnc.eu/download/1436/UltraVNC_1436_X64.msi
is not detected for me with ms defender 1.417.333.0

[RudiDeVos]

https://uvnc.eu/download/1436/UltraVNC_1436_X64.msi is now signed with a special msi option, signing is now also on the container, not only the files.