• Login
  • Register
  • Dolphin Forums
  • Home
  • FAQ
  • Download
  • Wiki
  • Code


Dolphin, the GameCube and Wii emulator - Forums › Dolphin Site › Site Feedback and Questions v
1 2 3 4 5 ... 25 Next »

Windows Defender False Alert
View New Posts | View Today's Posts

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thread Modes
Windows Defender False Alert
10-18-2019, 11:58 AM
#1
Shonumi Offline
Linux User/Tester
**********
Administrators
Posts: 6,480
Threads: 54
Joined: Dec 2011
Exclamation 
We have been receiving a lot of reports about Windows Defender falsely detecting our updater as malware. As soon as the first reports rolled in, we (and many of the users affected) immediately reported the false detection to Microsoft, and it appeared that the problem was resolved very promptly. We were confident that once the updated Windows Defender definitions spread, the false detection issue would be over. Unfortunately that didn't happen. User reports of the false detection have continued to pour in despite us having difficulty reproducing it, so we decided to take a deeper look at the issue.

The detection name Windows Defender gives is always Trojan:Win32/Azden.A!cl. Azden.A is a generic label for auto-updating behavior detection, nothing unusual there, but !cl signifies that the detection is from their machine learning based cloud services. Errors in machine learning aren't really something one fixes as much as encourages toward the correct answer, so Microsoft can’t simply stop the false detection. As a workaround Microsoft has been whitelisting every development build that is reported, but any time there is a new development build, or old development build now (all dev builds with the updater are now affected), machine learning will flag it as a trojan and spread that alert through the cloud. That is why it is so prolific; local definitions don't even matter. This also made it very challenging for us to diagnose. A user will encounter a false detection on a new or old build, report that false detection to Microsoft, and then tell us. By the time we receive it and give it a try, Microsoft will have already whitelisted that build, and we can't reproduce it. That's why we haven't been talking about this issue up until now; even though users kept reporting it to us, every time we tried it it seemed resolved.

We are investigating some options on our end that may make the whitelisting last longer, but this is pretty much entirely out of our control. Hopefully enough user reports can make Windows Defender's AI realize that Dolphin's updater is not a threat. Please continue to report the false detections to Microsoft and hopefully their issue will resolve itself.

For reference, here is the discussion on Twitter: https://twitter.com/Dolphin_Emu/status/1184971556264374272
Website Find
Reply
11-07-2019, 05:58 PM
#2
thadhouse
Unregistered
 
(10-18-2019, 11:58 AM)Shonumi Wrote: We have been receiving a lot of reports about Windows Defender falsely detecting our updater as malware. As soon as the first reports rolled in, we (and many of the users affected) immediately reported the false detection to Microsoft, and it appeared that the problem was resolved very promptly. We were confident that once the updated Windows Defender definitions spread, the false detection issue would be over. Unfortunately that didn't happen. User reports of the false detection have continued to pour in despite us having difficulty reproducing it, so we decided to take a deeper look at the issue.

The detection name Windows Defender gives is always Trojan:Win32/Azden.A!cl. Azden.A is a generic label for auto-updating behavior detection, nothing unusual there, but !cl signifies that the detection is from their machine learning based cloud services. Errors in machine learning aren't really something one fixes as much as encourages toward the correct answer, so Microsoft can’t simply stop the false detection. As a workaround Microsoft has been whitelisting every development build that is reported, but any time there is a new development build, or old development build now (all dev builds with the updater are now affected), machine learning will flag it as a trojan and spread that alert through the cloud. That is why it is so prolific; local definitions don't even matter. This also made it very challenging for us to diagnose. A user will encounter a false detection on a new or old build, report that false detection to Microsoft, and then tell us. By the time we receive it and give it a try, Microsoft will have already whitelisted that build, andDo we can't reproduce it. That's why we haven't been talking about this issue up until now; even though users kept reporting it to us, every time we tried it it seemed resolved.

We are investigating some options on our end that may make the whitelisting last longer, but this is pretty much entirely out of our control. Hopefully enough user reports can make Windows Defender's AI realize that Dolphin's updater is not a threat. Please continue to report the false detections to Microsoft and hopefully their issue will resolve itself.

For reference, here is the discussion on Twitter: https://twitter.com/Dolphin_Emu/status/1184971556264374272


Based on the October project report, is the microsoft algorithm really just checking the hash of the executable file itself? If so, I've ran into that issue in the past with other projects, and found an interesting trick how to fix it, especially if a specific executable can be white listed. Basically, take the current executable, change it to a shared library, rename main, and only export that new function from the DLL. Then, build a new executable that isn't directly linked to the shared library, but instead uses LoadLibrary and GetProcAddess to directly call the main function. By doing this, the dependency on the rest of the project is removed from the actual executable, which then should be able to be cached without issue. It becomes a total of ~10 lines of code, small enough to almost be stored in binary form if necessary, since it never should need to be updated.
Reply
« Next Oldest | Next Newest »


  • View a Printable Version
  • Subscribe to this thread
Forum Jump:


Users browsing this thread: 1 Guest(s)



Powered By MyBB | Theme by Fragma

Linear Mode
Threaded Mode