Proxmark3 community

Research, development and trades concerning the powerful Proxmark3 device.

Remember; sharing is caring. Bring something back to the community.


"Learn the tools of the trade the hard way." +Fravia

You are not logged in.

Announcement

Time changes and with it the technology
Proxmark3 @ discord

Users of this forum, please be aware that information stored on this site is not private.

#1 2020-08-18 17:18:31

Appellus
Contributor
Registered: 2020-08-17
Posts: 8

Windows Virus and Threat Protection Overactive

Whenever I start the the runme64.bat for either the official or Iceman repo, my Windows Defender freaks out and starts showing me the notification that my "Administrator requires a security scan of this item" (see the screenshot below). I don't quite understand this, as I am the administrator of my system. THe only feasible thing I can think of is since I am connected to a University Campus Wifi, they are considered administrators? I've also included a link to the event viewer log of it, from which I can see it checks close to 15 files, then the runme finishes and executes as normal. All the files being checked reside inside the "D:\Proxmark\Iceman\msys2\usr\bin\msys" folder, which you can see from the example event viewer log. I can solve this by turning of my Windows Defender, which it possible, but I'd like to figure out why these files are causing issues in the first place.

Defender Notification

Event Viewer

Offline

#2 2020-08-18 23:23:13

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Windows Virus and Threat Protection Overactive

Did the university require you to install/configure anything to do with "security" in order to gain access to their network ?
First time I have heard of this.  The only thing comes to mind is some setting which requires exe/dll outside of core locations. 
Has this just started to happen or did it do it from day one of the proxspace install?

Offline

#3 2020-08-18 23:52:46

Appellus
Contributor
Registered: 2020-08-17
Posts: 8

Re: Windows Virus and Threat Protection Overactive

No installation of any security stuff I can remember required to access their network, it's just a regular WPA2 Enterprise. It only cropped up last night, and it happens in both of my proxSpace install areas (I have one for the Iceman Repo and Official Repo). Could the double install have something to do with it, or would the issue lie elsewhere?

Offline

#4 2020-08-19 01:05:56

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Windows Virus and Threat Protection Overactive

It only happened last night... windows update ?
I am wondering if windows is pushing some change.
I would not think a multi install of proxspace could cause it.

Offline

#5 2020-08-19 04:03:23

Appellus
Contributor
Registered: 2020-08-17
Posts: 8

Re: Windows Virus and Threat Protection Overactive

The most recent Windows Updates from last night are three security updates, all for the Microsoft Defender, so it is possible I guess, granted I didn't look at the specifics of these security updates.

Updates

Last edited by Appellus (2020-08-19 04:04:02)

Offline

#6 2020-08-20 23:06:40

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: Windows Virus and Threat Protection Overactive

I think after compilation you got a miner inside, the ProxSpace in compilation process has replace the DNS to custom(the all GPG keys are had added to ignore list) and inject it's code to compilation source. You didn't find miner code at the RRG repository.

After compilation proxmark.exe has loads two cores of CPU to 100%.

The R&D team trying to hide this fact, be careful!

Offline

#7 2020-08-20 23:10:34

iceman
Administrator
Registered: 2013-04-25
Posts: 9,497
Website

Re: Windows Virus and Threat Protection Overactive

You are already considered persona-non-grata everywhere.  You will earn a ban.

Offline

#8 2020-08-20 23:48:00

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: Windows Virus and Threat Protection Overactive

iceman wrote:

You are already considered persona-non-grata everywhere.  You will earn a ban.

Yeah the persona-non-grata from European people is new trend, even on TV every day talking. Like the LGBT O_o.

But by the way, can you proof or break my guess about miner? I am not talking like a "Hey RRG team has miner in it's code", no, it's have no. But ProxSpace is dangerous and reques very deep check.

This topic is proof, that dangerous to use your products.

Offline

#9 2020-08-20 23:55:31

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: Windows Virus and Threat Protection Overactive

You even have no SSL cert at the forum, the all trafic is sniffing this is dangerous for members.

Offline

#10 2020-08-21 00:22:13

mwalker
Moderator
Registered: 2019-05-11
Posts: 318

Re: Windows Virus and Threat Protection Overactive

"...But by the way, can you proof or break my guess about miner?..."
Outside of the  fact that its just a guess ?  So far all evidence  presented is that defender wanted so scan and submitted for checking.  miners are not new, and I would expect defender to know if it was a minor, or other common things. 

Based on what has been presented, this looks more likely to be something that defender thinks MAY be unwanted.  We need to work out why it thinks that.

2nd Point.
Assuming (and not yet proven) that it is a bad file.  We need to then workout where it come from, not guess.
If its found to be a valid and clean, then we need to work out why MS defender is thinking this.  Given that its a mini "os" to allow the linux based tools to run under windows, I can think of many reasons you may flag some of these dlls.  Its just that I have not seen it.  I am running the latest version of windows (fully updated 2 days ago), it has defender running, and I have no issue.  I can even force a scan of the same DLL and no issue; which would indicate that my files from proxspace install are OK.

@Appellus
can you post the file path and name as well as the file size for the DLLs being flagged.
You might also thing about submitting some of the files to an online malware/virus checking service and see if it reports anything.

Offline

#11 2020-08-21 01:00:20

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: Windows Virus and Threat Protection Overactive

Yes this is conclusion from the many facts.

Offline

#12 2020-08-21 01:56:16

gator96100
Contributor
From: Austria
Registered: 2016-03-25
Posts: 177

Re: Windows Virus and Threat Protection Overactive

Could it be that Windows Defender tries to upload the file for checking and fails to upload, due to the Campus firewall so Windows Defender tries again and again?


Offtopic:

Winds wrote:

I think after compilation you got a miner inside, the ProxSpace in compilation process has replace the DNS to custom(the all GPG keys are had added to ignore list)....

ProxSpace does use the official Msys2 keys. Please read: https://www.msys2.org/news/#2020-06-29-new-packagers

Last edited by gator96100 (2020-08-21 02:01:01)

Offline

#13 2020-08-21 15:22:25

Appellus
Contributor
Registered: 2020-08-17
Posts: 8

Re: Windows Virus and Threat Protection Overactive

@mwalker I did just that, although my system seems to vary in which ones it's going to flag and from which repository. For instance, I ran both the "runme64.bat" from both my Iceman and Official Repo and only had two files flagged:

Filename: D:\Proxmark\Official\msys2\usr\bin\msys-lzo2-2.dll
Filename: D:\Proxmark\Official\msys2\usr\bin\msys-ksba-8.dll

Both of which I ran through VirusTotal and they came back with no threats. I guess my Windows Defender is slowly working through the repositories every time I start up and is reaching the end of them now?

Offline

#14 2020-08-21 15:34:31

Winds
Member
Registered: 2020-01-28
Posts: 53

Re: Windows Virus and Threat Protection Overactive

Gator, I hope your ProxSpace can be improved, as well! Currently I working in custom environment, without 32 bit.

I had found many no needed packets as I think, you can do the MinGW more light. A lot of things to do, you can do better.
Sorry at the moment I have no personal time to contribute.

Wishing you the best

Offline

Board footer

Powered by FluxBB