[Package Issue]: ZAP.ZAP detected by Microsoft Defender Antivirus as PUA #153873
Comments
ksast
added
the
Issue-Bug
microsoft-github-policy-service
bot
added
the
Needs-Triage
|
I do not think this would be an issue form Winget's end since it is only a package manager which downloasd ready made files from the internet. If you were to download the same file from the website would the same issue happen? |
I agree it's not related to the winget software directly, however its related to a specific package distributed via the package manager's repository. Is there a better channel to address this concern? To answer the question, yes the same issue happens when downloading the file from https://www.zaproxy.org/download. |
|
I mean the file downloaded through winget is from Github itself I would recommend trying to check for system updates, maybe this was solved with some security update releases were it becomes excluded since it is a fake detection Let me see if I can somewhere where to report this |
|
Maybe look at this: https://www.microsoft.com/en-us/wdsi/filesubmission |
I have confirmed that detection signatures are up to date and the file is also detected by a few other security vendors on virustotal: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57 How do you conclude that this is a fake detection or false positive? If not confirmed as a false positive, I would see this as a potential supply chain attack, where a malicious file is distributed via a public package manager's repository. So correct me if I'm wrong, but such packages should not be further distributed until the case has been properly investigated. |
|
Files are scanned thoroughly usually before being allowed to be approved and posted on winget, but it may be that it is a malware (which I highly doubt). See here: https://github.com/microsoft/winget-pkgs/blob/master/SECURITY.md |
|
Also see: zaproxy/zaproxy#8488 |
|
I would recommend creating an issue on the zap proxy github and link this Issue so that we can keep track of this: https://github.com/zaproxy/zaproxy/issues |
I will, thank you.
I'm not quite happy how this was handled. One guy just recommended to report it as false positive without any justification. But maybe that's just me. Thx. |
|
ZAP project lead here. |
|
We are sure it is a false positive, as per zaproxy/zaproxy#8491 (comment) |
|
@psiinon, maybe you can send an email on the email found in the docs below: https://github.com/microsoft/winget-pkgs/blob/master/SECURITY.md |
|
@vikingnope I've just done that 😁 I'll also be writing a ZAP FAQ which will explain this situation in more detail... |
stephengillie
removed
the
Needs-Triage
|
[Policy] Area-External |
|
I've had a response from the Microsoft Security Response Center. |
@psiinon , thank you for your cooperation and swift reply. We will be closing this ticket.🙂 @stephengillie or @ksast can you kindly close this ticket, please. |
Please confirm these before moving forward
Category of the issue
Other
Brief description of your issue
The following package upgrade command triggered an alert coming from Microsoft Defender Antivirus:
"winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.logThe alert is named "'Packunwan' unwanted software was prevented".
Maybe the 2.15.0 package of ZAP.ZAP is malicious.
Steps to reproduce
Try to execute the command from the description on a client that is protected by Microsoft Defender Antivirus.
Actual behavior
Defender quarantines the file ZAP_2_15_0_windows.exe as well as a tmp file.
Expected behavior
Download and install a safe package.
Environment
Screenshots and Logs
Alert story from security.microsoft.com:
`5/15/2024 11:30:35 AM
[89624] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 89624
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User domain\username
5/15/2024 11:32:31 AM
[89624] winget.exe modified file ZAP_2_15_0_windows[1].exe
Modified file sha1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:31 AM
[89624] winget.exe moved file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Source file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
Destination file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:54 AM
winget.exe interacted with file ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:33:50 AM
winget.exe interacted with file 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
Content SHA256 55e6d3ea0d358feb32345df49bab87b8874d06b831b4294e30f06eb8934b3786
5/16/2024 11:30:34 AM
[83880] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 83880
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User DOMAIN\username
5/16/2024 11:30:55 AM
winget.exe interacted with file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
4/19/2024 7:59:49 AM
[28972] svchost.exe -k NetworkService -p
Command line svchost.exe -k NetworkService -p
Process id 28972
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\NETWORK SERVICE
5/15/2024 11:32:04 AM
svchost.exe interacted with file DO1F51.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DO1F51.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DO1F51.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:18:51 PM
[912] smss.exe
Process id 912
Execution details Elevated
Image file path smss.exe
5/16/2024 3:19:07 PM
[1176] wininit.exe
Process id 1176
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\wininit.exe
Image file SHA1 00596f96607680a6e9a6c488e0ef9e862c335e31
Image file creation time Dec 19, 2023 10:09:51 PM
Image file last modification time Dec 19, 2023 10:09:51 PM
PE metadata wininit.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:19:07 PM
[1248] services.exe
Process id 1248
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\services.exe
Image file SHA1 b8cc4e83947902bf5fc7df00cad906ca6ddd5627
Image file creation time Nov 22, 2023 7:38:02 AM
Image file last modification time Nov 22, 2023 7:38:02 AM
PE metadata services.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:19:08 PM
[3240] svchost.exe -k netsvcs -p -s Schedule
Command line svchost.exe -k netsvcs -p -s Schedule
Process id 3240
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\SYSTEM
5/16/2024 3:25:01 PM
[9956] winget.exe upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Command line "winget.exe" upgrade -e ZAP.ZAP --version 2.15.0 --silent --accept-package-agreements --accept-source-agreements --log C:\path\to\logfile.log
Process id 9956
Execution details Token elevation: Full, Integrity level: High
Image file path C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.22.11261.0_x64__8wekyb3d8bbwe\winget.exe
Image file SHA1 b847d7a8a8b80bc95892b8e644c574209cb1f95b
Image file creation time May 8, 2024 9:14:22 AM
Image file last modification time May 8, 2024 9:14:25 AM
PE metadata winget.exe
User DOMAIN\username
5/16/2024 3:26:52 PM
[9956] winget.exe modified file ZAP_2_15_0_windows[1].exe
Modified file sha1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:26:52 PM
[9956] winget.exe moved file ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Source file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Is PE True
Creation time May 16, 2024 3:25:03 PM
Last modified time May 16, 2024 3:26:52 PM
Mark of the web zone identifier Trusted sites
Is run time packed True
Destination file path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:27:15 PM
winget.exe interacted with file ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:28:02 PM
winget.exe interacted with file 28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:21:23 PM
[3796] svchost.exe -k NetworkService -p
Command line svchost.exe -k NetworkService -p
Process id 3796
Execution details Token elevation: Default, Integrity level: System
Image file path C:\Windows\System32\svchost.exe
Image file SHA1 3f64c98f22da277a07cab248c44c56eedb796a81
Image file creation time May 7, 2022 7:19:30 AM
Image file last modification time May 7, 2022 7:19:30 AM
PE metadata svchost.exe
User NT AUTHORITY\NETWORK SERVICE
5/16/2024 3:26:27 PM
svchost.exe interacted with file DOC986.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DOC986.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DOC986.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
Additional related files
5/15/2024 11:32:04 AM
DO1F51.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DO1F51.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DO1F51.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/15/2024 11:32:54 AM
ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\4XO3SQZ5\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:32:00 AM
Last modified time May 15, 2024 11:32:31 AM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 11:30:55 AM
ZAP_2_15_0_windows.exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\ZAP_2_15_0_windows.exe
Size 227 MB
Is PE True
Creation time May 15, 2024 11:30:36 AM
Last modified time May 15, 2024 11:32:31 AM
Mark of the web zone identifier Trusted sites
Is run time packed True
PE metadata ZAP_2_15_0_windows.exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows.exe', preventing attempted open by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:26:27 PM
DOC986.tmp
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\DOC986.tmp
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file 'DOC986.tmp', during attempted creation by 'svchost.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:27:15 PM
ZAP_2_15_0_windows[1].exe
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\AC\INetCache\D0MRUZQ4\ZAP_2_15_0_windows[1].exe
Size 227 MB
Is PE True
Creation time May 16, 2024 3:26:23 PM
Last modified time May 16, 2024 3:26:52 PM
Is run time packed True
PE metadata ZAP_2_15_0_windows[1].exe
Remediation details Defender detected and quarantined 'PUA:Win32/Packunwan' in file 'ZAP_2_15_0_windows[1].exe', preventing attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
5/16/2024 3:28:02 PM
28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
SHA1 61bb04d5af2b928491215ce990ebc46dd8b3bb3d
Path C:\Users\username\AppData\Local\Temp\WinGet\ZAP.ZAP.2.15.0\28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57
Size 227 MB
Remediation details Defender detected 'PUA:Win32/Packunwan' in file '28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57', during attempted creation by 'winget.exe'
'Packunwan' unwanted software was detected New Detected Informational
`
The text was updated successfully, but these errors were encountered: