Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.6.0 Windows Installer ist detected as PUA:Win32/Packunwan by Windows Defender #2517

Open
lycis opened this issue Sep 26, 2024 · 4 comments

Comments

@lycis
Copy link

lycis commented Sep 26, 2024

Describe the bug
Windows Defender identifies the severe PUA:Win32/Packunwan threat for DrMemory-Windows-2.6.0.msi.

To Reproduce
Steps to reproduce the behavior:

  1. Download https://github.com/DynamoRIO/drmemory/releases/download/release_2.6.0/DrMemory-Windows-2.6.0.msi

Expected behavior
The installer should not raise red flags with Windows Defender.

Screenshots or Pasted Text
image

Versions

  • What version of Dr. Memory are you using? 2.6.0
  • Does the latest build from
    https://drmemory.org/page_download.html#sec_latest_build solve the problem? For some reason 2.6.0 gets flagged everytime, but the latest build less often.
  • What operating system version are you running on? 10.0.22631 Build 22631
  • Is your application 32-bit or 64-bit? irrelevant as I don't get that far
@lycis
Copy link
Author

lycis commented Sep 26, 2024

I checked a bit further. It seems that it is only the installer that gets flagged, not the installed application itself afterwards.

@derekbruening
Copy link
Contributor

The installer is created by WiX 3.14 and so is not directly in our control. We have seen AV products flag various installers or uninstallers in the past, through no fault of our own: xref #1608 on NSIS which is one reason we switched to WiX in #1620.

It's not clear what could be done here without further information on where this signature is exactly and whether it's possible to avoid with WiX parameters. The theory would be that some actually malicious program used a WiX-built installer as part of itself and the AV signature looks at essentially the wrong thing, the WiX installer, and now flags any WiX-built installer?

@lycis
Copy link
Author

lycis commented Oct 30, 2024

I could not reproduce this on an up to date windows. Maybe it was also something fixed in Microsoft Security. I will close this as even I cannot reproduce and no other people seem to have this issue.

@lycis lycis closed this as completed Oct 30, 2024
@nigels-com
Copy link

Same problem here just now.
Windows 10, 64-bit.

Would suggest re-opening this issue to make it bit easier to find. (I'm reassured it's a false-positive)

DrMemory

Windows

@derekbruening derekbruening reopened this Nov 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants