Comments (21)
@goshostoychev can you add the link to the Discord chat we had, to the description above?
from choco.
@goshostoychev can you add the link to the Discord chat we had, to the description above?
Done.
from choco.
@goshostoychev said...
You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
Can you please clarify the exact steps that you are describing here?
from choco.
When the chocolatey folder in C:\ProgramData is deleted, and then we run the choco install script from 'https://chocolatey.org/install.ps1' to make a new installation of choco, our antivirus software detects the problematic file in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
from choco.
And it you delete this file, and attempt the re-installation again?
And, just to confirm, you are executing:
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))
Directly, in an Administrative PowerShell Session, as described in the installation page here.
from choco.
Yes, we are deleting the whole choco folder and we are re-installing it. The command we are executing is this:
Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
The command is being ran as the built-in SYSTEM user.
from choco.
This is the response we got from the ESET support:
From time to time we have cases of this kind of False Positive from ESET. It's completely normal, most likely a new update with definitions/signatures was released and that's where the detection itself comes from.
If you think it's a False Positive, Chocolately colleagues, as well as yourself, can come forward to ESET and report the False Positive. Accordingly, ESET colleagues have a whole page to help with this process: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the - eset-lab
Basically within the day, the following reporting of such issue is fixed, so you can file a similar False Positive report in the manner described in the article, so that the developers can fix the anomaly.
from choco.
@goshostoychev said....
Yes, we are deleting the whole choco folder and we are re-installing it
Can I ask that you be very clear about what you are referring to?
Which folder are you referring to here? The chocolatey folder within the C:\ProgramData folder, or the chocolatey folder within the C:\Windows\Temp folder?
from choco.
We are deleting the C:\ProgramData folder, but when we try to re-install choco, our antivirus detects the problematic file in C:\Windows\Temp.
from choco.
Thank you for the clarification!
During the fresh installation of Chocolatey CLI, the contents of the Chocolatey nupkg will be extracted to the TEMP folder, this is normal behaviour. What I would like to clarify further, based on the discussion that was had in Discord, is whether the file in the TEMP folder is correctly signed using the Chocolatey certificate. Can you please clarify if this is the case on your system?
from choco.
We have just tested a fresh installation again, and this time the
'C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1' in comes with a valid signature.
Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?
from choco.
@goshostoychev said...
Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?
No, no changes have been made on our side.
from choco.
About the response we got from ESET - are you going to take what steps are necessary to submit this file as false-positive to ESET, so that they can whitelist it, or make the needed adjustments to the file? And please, let us know of the result.
from choco.
@goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this.
As such, I can going to close this issue, but feel free to respond to it if you have any other comments.
from choco.
Not an isolated incident. Weve had this flagged up too!
from choco.
@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?
from choco.
@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?
It was ESET.
I’ll get you the logs from the portal so you can see what it picked up, but we are experiencing the same as above.
from choco.
See attached screenshot @gep13
from choco.
@m4ttyj thank you for providing that screenshot.
I am not sure how much help we will be able to be with this report. Chocolatey CLI does not install into that folder by default, and I am not familiar with RepairTech, so I can't speak to what process is being followed to place the files there.
As a side question, was the outcome of this ESEET detection that the file in question was moved to some form of quarantine folder, or did it remain in place in that location?
from choco.
Hi
RepairTech is SyncroMSP. It’s used to update default apps like adobe reader etc.
However I thought it would be useful as it’s the same file and the same reaction (although the location is different)
ESET deletes the file.
from choco.
@m4ttyj said...
ESET deletes the file.
Thank you for confirming, this helps with understanding what is going on, and answers some of the internal discussions that we have been having about this.
from choco.
Related Issues (20)
- Pin using reason leads to wrong error message HOT 4
- choco hook package - post-install trigger does not fire when package installation fails HOT 7
- Using `Install-ChocolateyPath -PathType Machine` in a non-admin context spawns PowerShell endlessly and never completes
- Deprecate `unpackself` command
- Rework build process to remove the use of `-unpackself`
- Remove `-unpackself` command and adjust build/debugging as appropriate
- Chrome package not installing HOT 1
- Change namespace casing to PascalCase HOT 2
- Improve package dependency lookup when an exact version is defined
- choco uninstalled a number of wrong packages when I want to uninstall ONE package HOT 6
- Autoremove feature or list leaf packages
- Chocolatey CLI v2.2.2 prompts for credentials when trying to install the ROS noetic desktop_full package HOT 2
- How to install choco without admin to local path user ? HOT 2
- dotnet4.5.2 was not found with the source(s) listed HOT 5
- Install-ChocolateyFileAssociation creating unnecessary 3rd parameter in registry command, causing error in app when opening associated filetype HOT 4
- Update GenerateDocs.ps1 to support the Astro Framework
- Install-ChocolateyPath: should -Scope default to 'Machine'
- Accessing icon from protected bin repo HOT 1
- Dependency resolution during install can be slow HOT 13
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from choco.