Newest 2023-0-397-152 Installer – Trojan Backdoor:Win32/Bladabindi!ml Detected – SketchUp

You have got a sha miss, which suggests the installer has been compromised, presumably on a CDN. Why haven’t you eliminated the installer?

Not making an attempt to be impolite, simply truthfully asking for the sake of myself and others who in all probability know little or no about software program improvement and publishing, virus creation and virus safety:
what makes you so sure that the installer is compromised?

• What’s an “SHU miss”?
• What’s “BackDoor:Win32/Bladabindi!ml”
• From what discipline of expertise, training, or supply documentation do you make these claims.

As soon as once more, that is being requested from ignorance, however I requested this stuff as a result of:

1. Nobody desires their stuff hacked.

But…

2. Nobody desires to attend on putting in bug fixes simply because some man says it’s harmful. You could have learn an article about viruses and assume you already know what you’re speaking about, and are sharing misguided opinions on the matter. You might even be a troll.

With such a declare, it might be useful for the neighborhood for those who would comply with up the declare with some sturdy proof so we will make knowledgeable selections, or not warn us in any respect; we don’t know if you already know what you’re speaking about.

I get the identical message, however with one other file being quarantined.

I uploaded the file to virustotal.com and it didn’t generate a warning.

What’s up with this? I can’t recall this being a difficulty beforehand.

I write software program for a dwelling specialising in safety for big monetary firms for over 20 years. I do know what I’m speaking about.

That’s the kinda stuff we need to hear. Thanks!

In my humble opinion – I’m not a programmer or safety skilled …

Through the set up the installer extracting the file to temporally location, then – as a result of MS Defender “assume” there may be backdoor, eradicating this file from that location. Clearly the installer can’t examine MD5 of the lacking file. Soo, not the MD5 miss , however the totally file is lacking.

I feel there’s a large distinction of

“MD5 checksum failed”

versus:
“MD5 examine failed ”

That’s one doable and admittedly lilely reply. Nonetheless, couple that with the visible bugs of the installer itself, and the very low chance of it being a false constructive. The reply is to not disable your anti virus software program. The reply is take away the replace. Repair the difficulty, even when it’s to establish why it may be a false constructive, and alter the code.

I’ve to agree with you, however solely with the small modification above.

For what its price, I attempted submitting the installer for assessment as a false constructive after receiving the identical detection as erlend.itland.FS – Trojan:Win32/Casdet!rfn.

As a result of dimension of the installer archive it appears to be like like Microsoft wont assessment the file.

Why does this solely occur for a number of the home windows customers and never all? I put in it with no warnings and many others as have many others. (my home windows 10 set up is updated)

The installer executable is just not the file that’s getting quarantined.

It’s the "SketchUp 2023.msi" file that’s extracted to path:
"%LocalAppData%/Downloaded Installations/{03CB7BC4-3C9C-452B-BFD7-1C3616BE96BD}"

Yeah, you’re proper I did assume that as quickly as I’d posted. Assume I’ll follow the net model in the interim till there may be an official replace.

VirusTotal report from the detected .msi: https://www.virustotal.com/gui/file/fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a/particulars

Although there are not any detections within the file itself, there are three bundled information and one dropped file that do have one VT vendor detection every (examine the small print tab):

Skp2VRML.DLL – signed (Jiangmin detects as Trojan.Generic.glofj)
MSI61DE.tmp – signed (SecureAge detects as Malicious)
an unnamed, unsigned CAB file (Jiangmin detects as Trojan.Generic.glofj)
ISRegSvr.dll – unsigned (SecureAge detects as Malicious)

That is probably what’s driving Defender to quarantine the .msi through the set up. It’s incumbent upon SketchUp to resolve these points with Microsoft if they’re false constructive detections. It’s best to take any AntiVirus detection critically. It’s not unimaginable for real software program distribution channels to be compromised by exterior events (keep in mind Solarwinds?). Till that is resolved, we can not permit this on our community, and you need to train excessive warning when contemplating your choices.

@Mark @travis1 @colin @WebHorst

What is going on together with your false constructive submission to Microsoft please?

Home windows Defender continues to be detecting SketchUp 2023.msi as Trojan:Win32/Casdet!rfn

We’re exhibiting the SHA256 hash: fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a

Are you able to examine this with the hash worth that you’ve from a neighborhood copy of the file from the Dev staff to make sure that the file hasn’t been tampered with between publishing and supply?

We have now registered customers that depend on this software program, however are prohibited from putting in the most recent model because of this detection. Please preserve us up to date right here. If it’s a false constructive, please point out what Home windows safety definitions replace package deal will resolve this after you have been knowledgeable by Microsoft (they need to inform you as soon as they’ve verified it as a false constructive).

We are going to get again to you shortly. Thanks for elevating this up once more.

I’ll depart Travis to reply your details.

For the curiosity of different individuals who hit this difficulty, I hit it yesterday as nicely. I discovered that I solely wanted to show off Actual-time safety, in Virus & menace safety settings, simply lengthy sufficient for the SketchUp installer to run. Then I turned it again on once more. I do know that’s nonetheless unlucky, nevertheless it felt safer than turning off all safety.

We’re reaching out to NotAnEndUser1 immediately.

@NotAnEndUser1 – We have now confirmed that the SHA256 hash of our inside improvement model matches your hash worth.

Particularly, on a Digital Machine I put in SketchUp utilizing our improvement model of the installer that grew to become the 2023.0.1 launched model, after which examined the “…AppDataLocalDownloaded Installations*SketchUp 2023.msi” file. Its SHA256 hash matches yours:
{
‘SketchUp 2023-DevBuild124onCleanVM.msi’: ‘fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a’,
}

That .msi file was then submitted for evaluation to VirusTotal, which additionally confirmed the hash and returned a outcome saying “No safety distributors and no sandboxes flagged this file as malicious”

The SHA you’re seeing is our 2023 RC0 set up, so is a legitimate SHA.

We have now supplied our information to Microsoft Safety Intelligence to scan for false positives. The scans are exhibiting no detections. We are trying to escalate this to MSFT immediately. The web scans are scanning with definitions 1.385.793.0. Are you able to verify which Defender model (10, 11 or Good Display screen) and definition is detecting the installer’s MSI. We are able to move this data alongside to MS.