-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Package Issue]: ZAP.ZAP detected by Microsoft Defender Antivirus as PUA #153873
Comments
I do not think this would be an issue form Winget's end since it is only a package manager which downloasd ready made files from the internet. If you were to download the same file from the website would the same issue happen? |
I agree it's not related to the winget software directly, however its related to a specific package distributed via the package manager's repository. Is there a better channel to address this concern? To answer the question, yes the same issue happens when downloading the file from https://www.zaproxy.org/download. |
I mean the file downloaded through winget is from Github itself I would recommend trying to check for system updates, maybe this was solved with some security update releases were it becomes excluded since it is a fake detection Let me see if I can somewhere where to report this |
Maybe look at this: https://www.microsoft.com/en-us/wdsi/filesubmission |
I have confirmed that detection signatures are up to date and the file is also detected by a few other security vendors on virustotal: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57 How do you conclude that this is a fake detection or false positive? If not confirmed as a false positive, I would see this as a potential supply chain attack, where a malicious file is distributed via a public package manager's repository. So correct me if I'm wrong, but such packages should not be further distributed until the case has been properly investigated. |
Files are scanned thoroughly usually before being allowed to be approved and posted on winget, but it may be that it is a malware (which I highly doubt). See here: https://github.com/microsoft/winget-pkgs/blob/master/SECURITY.md |
Also see: zaproxy/zaproxy#8488 |
I would recommend creating an issue on the zap proxy github and link this Issue so that we can keep track of this: https://github.com/zaproxy/zaproxy/issues |
I will, thank you.
I'm not quite happy how this was handled. One guy just recommended to report it as false positive without any justification. But maybe that's just me. Thx. |
ZAP project lead here. |
We are sure it is a false positive, as per zaproxy/zaproxy#8491 (comment) |
@psiinon, maybe you can send an email on the email found in the docs below: https://github.com/microsoft/winget-pkgs/blob/master/SECURITY.md |
@vikingnope I've just done that 😁 I'll also be writing a ZAP FAQ which will explain this situation in more detail... |
[Policy] Area-External |
I've had a response from the Microsoft Security Response Center. |
@psiinon , thank you for your cooperation and swift reply. We will be closing this ticket.🙂 @stephengillie or @ksast can you kindly close this ticket, please. |
Please confirm these before moving forward
Category of the issue
Other
Brief description of your issue
The following package upgrade command triggered an alert coming from Microsoft Defender Antivirus:
"winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
The alert is named "'Packunwan' unwanted software was prevented".
Maybe the 2.15.0 package of ZAP.ZAP is malicious.
Steps to reproduce
Try to execute the command from the description on a client that is protected by Microsoft Defender Antivirus.
Actual behavior
Defender quarantines the file ZAP_2_15_0_windows.exe as well as a tmp file.
Expected behavior
Download and install a safe package.
Environment
Screenshots and Logs
Alert story from security.microsoft.com:
`5/15/2024 11:30:35 AM
[89624] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 89624
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User domain\username
5/15/2024 11:32:31 AM
[89624] winget.exe modified file ZAP_2_15_0_windows[1].exe
Modified file sha1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:31 AM
[89624] winget.exe moved file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Source file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
Destination file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:54 AM
winget.exe interacted with file ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:33:50 AM
winget.exe interacted with file 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
Content SHA256 55e6d3ea0d358feb32345df49bab87b8874d06b831b4294e30f06eb8934b3786
5/16/2024 11:30:34 AM
[83880] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 83880
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User DOMAIN\username
5/16/2024 11:30:55 AM
winget.exe interacted with file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
4/19/2024 7:59:49 AM
[28972] svchost.exe -k NetworkService -p
Command line svchost.exe -k NetworkService -p
Process id 28972
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\NETWORK SERVICE
5/15/2024 11:32:04 AM
svchost.exe interacted with file DO1F51.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DO1F51.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DO1F51.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:18:51 PM
[912] smss.exe
Process id 912
Execution details Elevated
Image file path smss.exe
5/16/2024 3:19:07 PM
[1176] wininit.exe
Process id 1176
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\wininit.exe
Image file SHA1 00596f96607680a6e9a6c488e0ef9e862c335e31
Image file creation time Dec 19, 2023 10:09:51 PM
Image file last modification time Dec 19, 2023 10:09:51 PM
PE metadata wininit.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:19:07 PM
[1248] services.exe
Process id 1248
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\services.exe
Image file SHA1 b8cc4e83947902bf5fc7df00cad906ca6ddd5627
Image file creation time Nov 22, 2023 7:38:02 AM
Image file last modification time Nov 22, 2023 7:38:02 AM
PE metadata services.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:19:08 PM
[3240] svchost.exe -k netsvcs -p -s Schedule
Command line svchost.exe -k netsvcs -p -s Schedule
Process id 3240
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:25:01 PM
[9956] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 9956
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User DOMAIN\username
5/16/2024 3:26:52 PM
[9956] winget.exe modified file ZAP_2_15_0_windows[1].exe
Modified file sha1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:26:52 PM
[9956] winget.exe moved file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Source file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Is PE True
Creation time May 16, 2024 3:25:03 PM
Last modified time May 16, 2024 3:26:52 PM
Mark of the web zone identifier Trusted sites
Is run time packed True
Destination file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:27:15 PM
winget.exe interacted with file ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:28:02 PM
winget.exe interacted with file 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:21:23 PM
[3796] svchost.exe -k NetworkService -p
Command line svchost.exe -k NetworkService -p
Process id 3796
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\NETWORK SERVICE
5/16/2024 3:26:27 PM
svchost.exe interacted with file DOC986.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DOC986.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DOC986.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
Additional related files
5/15/2024 11:32:04 AM
DO1F51.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DO1F51.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DO1F51.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:54 AM
ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 11:30:55 AM
ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:26:27 PM
DOC986.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DOC986.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DOC986.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:27:15 PM
ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:28:02 PM
28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
`
The text was updated successfully, but these errors were encountered: