Get-ChocolateyWebFile.ps1 detected as malicious from ESET about choco HOT 21 OPEN

@goshostoychev can you add the link to the Discord chat we had, to the description above?

from choco.

@goshostoychev can you add the link to the Discord chat we had, to the description above?

Done.

from choco.

@goshostoychev said...
You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"

Can you please clarify the exact steps that you are describing here?

from choco.

When the chocolatey folder in C:\ProgramData is deleted, and then we run the choco install script from 'https://chocolatey.org/install.ps1' to make a new installation of choco, our antivirus software detects the problematic file in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"

from choco.

And it you delete this file, and attempt the re-installation again?

And, just to confirm, you are executing:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Directly, in an Administrative PowerShell Session, as described in the installation page here.

from choco.

Yes, we are deleting the whole choco folder and we are re-installing it. The command we are executing is this:

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

The command is being ran as the built-in SYSTEM user.

from choco.

This is the response we got from the ESET support:

From time to time we have cases of this kind of False Positive from ESET. It's completely normal, most likely a new update with definitions/signatures was released and that's where the detection itself comes from.

If you think it's a False Positive, Chocolately colleagues, as well as yourself, can come forward to ESET and report the False Positive. Accordingly, ESET colleagues have a whole page to help with this process: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the - eset-lab

Basically within the day, the following reporting of such issue is fixed, so you can file a similar False Positive report in the manner described in the article, so that the developers can fix the anomaly.

from choco.

@goshostoychev said....
Yes, we are deleting the whole choco folder and we are re-installing it

Can I ask that you be very clear about what you are referring to?

Which folder are you referring to here? The chocolatey folder within the C:\ProgramData folder, or the chocolatey folder within the C:\Windows\Temp folder?

from choco.

We are deleting the C:\ProgramData folder, but when we try to re-install choco, our antivirus detects the problematic file in C:\Windows\Temp.

from choco.

Thank you for the clarification!

During the fresh installation of Chocolatey CLI, the contents of the Chocolatey nupkg will be extracted to the TEMP folder, this is normal behaviour. What I would like to clarify further, based on the discussion that was had in Discord, is whether the file in the TEMP folder is correctly signed using the Chocolatey certificate. Can you please clarify if this is the case on your system?

from choco.

We have just tested a fresh installation again, and this time the
'C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1' in comes with a valid signature.

Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?

from choco.

@goshostoychev said...
Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?

No, no changes have been made on our side.

from choco.

About the response we got from ESET - are you going to take what steps are necessary to submit this file as false-positive to ESET, so that they can whitelist it, or make the needed adjustments to the file? And please, let us know of the result.

from choco.

@goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this.

As such, I can going to close this issue, but feel free to respond to it if you have any other comments.

from choco.

Not an isolated incident. Weve had this flagged up too!

from choco.

@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?

from choco.

@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?

It was ESET.
I’ll get you the logs from the portal so you can see what it picked up, but we are experiencing the same as above.

from choco.

See attached screenshot @gep13

from choco.

@m4ttyj thank you for providing that screenshot.

I am not sure how much help we will be able to be with this report. Chocolatey CLI does not install into that folder by default, and I am not familiar with RepairTech, so I can't speak to what process is being followed to place the files there.

As a side question, was the outcome of this ESEET detection that the file in question was moved to some form of quarantine folder, or did it remain in place in that location?

from choco.

Hi

RepairTech is SyncroMSP. It’s used to update default apps like adobe reader etc.

However I thought it would be useful as it’s the same file and the same reaction (although the location is different)

ESET deletes the file.

from choco.

@m4ttyj said...
ESET deletes the file.

Thank you for confirming, this helps with understanding what is going on, and answers some of the internal discussions that we have been having about this.

from choco.