Windows defender detects a trojan upon installation of 4.17.1 (false positive) #13335
Comments
|
Same here. I updated Docker Desktop on another PC earlier this week and it was not detected as an issue by Defender. My guess is that Defender has new definition. Now, the point is to know if it's a false positive or whether Docker Desktop was compromised (supply chain attack?). The threat detected is this one: Microsoft link. I believe it's useless (because mainly random/temporary path but these are the path of threat detected:
Would be appreciated to know the actual status (false or true positive). |
|
Just tried installing Docker with the same issue. |
|
Workaround
|
|
Same here, 4.17.1 on Win10 Sure we can disable security as a 'workaround' (and it seems we have to leave it off or it wont run) - but until there is some confirmation that there isn't something actually wrong with this file that's not great advice. I went to an older version to do what I needed to do. |
|
Same here. Windows 10 build 19045.2728 |
Thanks. Going back to an older version is not a solution either. It might even be more of a problem and security risk. After installation switch on the defender security and you are on par. |
|
Just tried installing Docker with the same issue. I agree going back to older version as well as disabling the virus threat protections are not good choices at all. Looking forward to getting this issue fixed. |
|
is everyone else trying to replicate alpaca? |
|
Having the same issue here
|
|
⬆️ Upvote Same situation... Can we receive any feedback, please? |
|
Version 4.16.2, I tried versions that are above this version and I got the same error. |
|
Having a similar issue, I am going to assume that going to an older version might still be a security risk? |
|
4.17.0 does seem to have an important security fix https://docs.docker.com/desktop/release-notes/#security |
Agreed - it's not even close to ideal. I am having trouble with the older version anyway, it's moot. Just going to wait until this is addressed. |
|
|
|
Same for me |
|
Any update on this? |
|
i tried to submit the installer to Microsoft for a definitive positive/negative evaluation (if they find a file is safe they update definitions within hours) unfortunately, the installer is too large to submit and it doesn't seem to be manually extractable to find the problematic file - unless someone knows how to extract the exe? (my defender detected |
|
Windows defender mentions the virus is
|
Every time i have ever had this happen to me, the file i submitted to MS turned out to be harmless - and they updated sigs, in one retro gaming forum a piece of software had been detected as malicious for years, a quick submission to MS fixed that in a couple of hours! Unfortunately the limit is 500MB at https://www.microsoft.com/en-us/wdsi/filesubmission :-( fingers crossed this is a false positive... |
|
Even I had the same issue. I'm using Windows 11 version 22H2 and am trying to install Docker version 4.17.1 |
|
It appears that for version 4.17.1 (latest), the checksum listed at https://docs.docker.com/desktop/release-notes/ does not match the checksum of the downloaded file. The download on the main page as well as the release notes page both have non-matching checksums. I have not verified this myself but someone reported it on Reddit a couple of hours ago (on Windows 11 22H2) and a friend of mine has also verified that the checksums do not match ~30 minutes ago (on Windows 10). Thought it would be useful to contribute this info since it hasn't been previously mentioned. |
Yup just verified this myself on Windows 11 22H2, the checksum of the installer for Version 4.17.1 does not match the one on the official Docker website. Just to check it out as well the Version 4.17.0 checksum does match though. Don't think this is any indication to use the older version, although it does include the fix for: (https://www.cve.org/cverecord?id=CVE-2023-0628 and https://www.cve.org/cverecord?id=CVE-2023-0629) |
|
Interesting because @alexvanbelle reported getting the Defender warning on both 4.7.0 and 4.7.1 |
|
Nothing on VirusTotal, but then again, Windows detects the trojan on install, not when downloading the file. |
I had the same error, after 10-20 tries at installation, I just allowed the installer to run from the defender->allow, then I read magicmq's comment about the checksums not matching and am rushing to uninstall with IObit uninstaller and running about 3-4 antivirus scans. Will update about any developments. |
|
Same malware detected when trying to install via Chocolatey package manager. |
I guess it's just a typo but it's 4.17.0 & 4.17.1 (neither 4.7.0 nor 4.7.1) To be clear:
As the others, fingers crossed it's a false positive. I hope we'll get the confirmation soon. |
|
It upgrade the Windows Security to 1.385.1239.0. It worked v4.7.1 for me |
|
For manual update virus protection: Then Docker Desktop installation will be successful
|
|
I am latest version, still facing the issue. |
|
Sometimes the issue always can't be resolved. |
|
I got a real crash that docker application is hanging. The explorer was being killed. Microsoft Edge is not responding. The VMMAW keep using more memory. |
|
Security Intelligence Version: 1.385.1251.0 also blocks Docker Desktop 4.17.1 (101757) installation |
|
Just go to the release notes and download v4.17.0. Windows defender is OK with this one! |
@aldotapia could you please let us know the Windows version where you've seen this happening? BTW, the latest version of Defender is now 1.385.1261 |
|
@MihaelaStoica I'm using Windows 11, version 22H2. Updated Windows Defender to 1.385.1272 and now I'm able to install Docker 4.71.1 |
|
|
@UnderShash could you please check if you still experience the issue with the latest Defender update. It is Also, @krzim and @robert-robinson-qubisoft, as you also experienced failures. Your help in checking the latest update is most appreciated. |
|
Running 1.385.1272.0 Defender update. Docker Desktop 4.17.1 install failed. Version 4.17.0 install succeeded. |
|
@tanyev It would be helpful to see what installation log files look like. You can try the diagnose tool post-install, or otherwise check |
|
It seems to mirror the screenshot provided by: #13335 (comment) but with more detail. |
|
Yesterday I had the same problem, today I decided to run the installer as admin and there were no problems, it installed normally. |
|
I have just updated my malware definitions:
***@***.***
And ran the in app software update (from v4.16.3, I rolled back to get it to work for yesterday) to version 4.17.1
There were no complaints from Windows protection and it seems to be running fine now.
From: Mihaela Stoica ***@***.***>
Sent: Tuesday, March 28, 2023 4:45 AM
To: docker/for-win ***@***.***>
Cc: Robert Robinson ***@***.***>; Mention ***@***.***>
Subject: Re: [docker/for-win] Windows defender detects a trojan upon installation of 4.17.1 (false positive) (Issue #13335)
I am latest version, still facing the issue. [image] <https://user-images.githubusercontent.com/96820814/227923274-3f42dbca-b896-447f-adfe-e49955ac956c.png>
@UnderShash<https://github.com/UnderShash> could you please check if you still experience the issue with the latest Defender update. It is 1.385.1272 at the time of writing.
Also, @krzim<https://github.com/krzim> and @robert-robinson-qubisoft<https://github.com/robert-robinson-qubisoft>, as you also experienced failures.
Your help in checking the latest update is most appreciated.
—
Reply to this email directly, view it on GitHub<#13335 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXLUV43BZ22I4TASVILIO7LW6HGZTANCNFSM6AAAAAAWHMPXP4>.
You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>
|
|
My Docker Setup keep hanging while during installation. The docker hang the setup and click on two time to become white screen and the setup start to install Docker Desktop. After install, docker did not start the service. I kill all the docker application. Because the background process is still using on it. Later on, I restart the docker service. |
|
Diagnose ID: 1C363CDE-2301-4049-873A-B50B7D10B243/20230328115143 |
|
@robert-robinson-qubisoft, thanks for confirming that the in-app update from 4.16.3 to 4.17.1 does not trigger the Defender |
@BrandonWanHuanSheng the issue you describe is different from the one discussed on this thread. In the effort of keeping the discussion relevant, could you please open a new issue for this? |
|
With defender definitions 1.385.1360.0 I was able to install version 4.17.1 (over version 4.17.0) w/o the trojan complaint. I did not have to run as administrator. Nor did I use Docker Desktop's own update facility. I just double-clicked the installer. |
|
It also work for me. v4.17.1 and v4.17.0 is installable. Trojan and Backdoor suppose to be gone. But I am unsure if I apply dynamic update to resolve this issue. I am going to under a restart windows update back with the dynamic update. This is a sign of missing security dynamic update on the PC. |
|
This might be able fix to the installation |
|
It also allow me to 4.6.2 as well. |
|
We've released Docker Desktop v4.18.0 yesterday, which has never been flagged with an assumed false positive. We've also been unable to reproduce within newer definitions of Windows Defender with Docker Desktop v4.17.0 and v4.17.1. I'll close this issue for now. Please let us know if you do experience the assumed false positive flagging in the future, feel free to reopen if experienced with these versions (or open a new GitHub Issue if it's with a newer version or different reported trojan than "Trojan:Script/Wacatac.H!ml" and "Trojan:MSIL/Bladabindi!MTB"). |
|
Closed issues are locked after 30 days of inactivity. If you have found a problem that seems similar to this, please open a new issue. /lifecycle locked |
and others
Actual behavior
Upon fresh instrallation I receive the folowing message:
Manifest extraction failed: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
at CommunityInstaller.InstallWorkflow.d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at CommunityInstaller.InstallWorkflow.d__23.MoveNext()
Windows defender than alerts me it has detected Trojan:Script/Wacatac.H!ml in the docker desktop temp folder
Expected behavior
The installation should go on smoothly
Information
Output of
& "C:\Program Files\Docker\Docker\resources\com.docker.diagnose.exe" checkSteps to reproduce the behavior
The text was updated successfully, but these errors were encountered: