MS Windows Defender & DeCSS

On 7/20/2021 at 7:42pm, Windows Defender definitions daily update picked up a  copy of the famous DeCSS DVD encryption software as a Trojan and performed an immediate quarantine, followed by deletion 60 seconds later. This appears to be a false positive, notable only because the software it is incorrectly targeting is so famous.

It picks up the software as the Glupteba!ml Trojan per the screenshot below, marking it as a Severe threat;

 

Windows Defender is also misdiagnosing XFX Keygen programs from the mid-2000’s as high threats. Yes they crack software, but that’s a medium to low threat unless the concern is something bigger.

---

Download the File

If you are feeling brave, here is the file in question: DeCSS.exe <— Warning! Here be dragons. Download this at your own risk. Know the risks.

I vouch for the provence of this file as follows: It was acquired via DirectConnect from a file hub run by 2600 affiliated contributors in 2004. It’s code signature matches the incorrectly used 1999 code signature of David Fawcus that Jon Lech Johansen used to sign the executable.

Here is the metadata:

---

Separately, here is the XFX Force Keygen being tagged as a false positive High threat

Here is the file: KEYGENXFORCE.exe <— Warning! Here be dragons. Download this at your own risk. Know the risks.

---

File Analysis & Log Files

Kapersky finds no threat. On VirusTotal, 32 out of 72 engines misidentify this as malicious.

Here is last nights log file

-------------------------------------------------------------------------------------
MpCmdRun: Command Line: mpcmdrun  -restore -all
 Start Time: ‎Tue ‎Jul ‎20 ‎2021 20:10:48

MpEnsureProcessMitigationPolicy: hr = 0x1
ERROR: MpQuarantineRequest failed: name: HackTool:Win32/Keygen!MSR, GUID: {8003F52C-0000-0000-33A7-F7F5B974DFEF} (80508014)
ERROR: QuarantineRestore failed (80508014)
ERROR: MpQuarantineRequest failed: name: HackTool:Win32/Keygen!MSR, GUID: {8003F52C-0000-0000-B7CE-870973926357} (80508014)
ERROR: QuarantineRestore failed (80508014)
ERROR: MpQuarantineRequest failed: name: Trojan:Win32/Glupteba!ml, GUID: {80040956-0000-0000-D48C-06A3EB93B95A} (80508014)
ERROR: QuarantineRestore failed (80508014)
MpCmdRun.exe: hr = 0x80508014.
MpCmdRun: End Time: ‎Tue ‎Jul ‎20 ‎2021 20:10:48
-------------------------------------------------------------------------------------

You dump the log by opening an elevated CMD window in the folder C:\Program Files\Windows Defender folder.

You then execute mpcmdrun -restore -listall to list all quarantined items. Follow that with mpcmdrun -restore -all to restore all (Danger!)

You’ll notice my log above lists a failed code of 80508014 for each file. So instead I execute mpcmdrun -restore -all --Path D:\temp to restore it to a different location than the NAS it was deleted from.

The data will then be fine at rest in D:\temp until I try to copy it back to where Defender Deleted it on the NAS. At which point it deletes it again.

---

Closing and General Info

My OS Build is 19043.1110, version 21H1 installed on 6/10/2020.

The data at rest on the NAS lives on a DS920+ Synology with a 4tb Raid 1 volume in BRTFS format. This NAS volume is shared via SMB as the Z: drive on all machines in the house. The NAS contains other separate volumes servicing an Internet facing Pi running Traefikv2 with multipule services on a separate VLAN.

MS Has pushed out an update that appears to fix the false positive on DeCSS as of 7:42am this morning. As of 8:10pm on 7/21/21 it is still misidentifying XFX Keygens as a threat.

Update on 7/23/2021

Defender is once again ignoring whitelists and exceptions and silently deleting this file