You have got a sha miss, which implies the installer has been compromised, presumably on a CDN. Why haven’t you eliminated the installer?
2 Likes
Not making an attempt to be impolite, simply actually asking for the sake of myself and others who in all probability know little or no about software program growth and publishing, virus creation and virus safety:
what makes you so sure that the installer is compromised?
- What’s an “SHU miss”?
- What’s “BackDoor:Win32/Bladabindi!ml”
- From what discipline of expertise, schooling, or supply documentation do you make these claims.
As soon as once more, that is being requested from ignorance, however I requested these items as a result of:
- Nobody needs their stuff hacked.
But…
- Nobody needs to attend on putting in bug fixes simply because some man says it’s harmful. You’ll have learn an article about viruses and suppose you understand what you’re speaking about, and are sharing misguided opinions on the matter. You might even be a troll.
With such a declare, it could be useful for the group for those who would comply with up the declare with some robust proof so we are able to make knowledgeable choices, or not warn us in any respect; we do not know if you understand what you’re speaking about.
2 Likes
I get the identical message, however with one other file being quarantined.
I uploaded the file to virustotal.com and it didn’t generate a warning.
What’s up with this? I can’t recall this being a problem beforehand.
I write software program for a residing specialising in safety for giant monetary firms for over 20 years. I do know what I’m speaking about.
1 Like
That’s the kinda stuff we need to hear. Thanks!
In my humble opinion – I’m not a programmer or safety knowledgeable …
In the course of the set up the installer extracting the file to temporally location, then – as a result of MS Defender “suppose” there’s backdoor, eradicating this file from that location. Clearly the installer cannot verify MD5 of the lacking file. Soo, not the MD5 miss , however the fully file is lacking.
I believe there’s a enormous distinction of
“MD5 checksum failed”
versus:
“MD5 verify failed ”
That’s one potential and admittedly lilely reply. Nonetheless, couple that with the visible bugs of the installer itself, and the very low likelihood of it being a false constructive. The reply is to not disable your anti virus software program. The reply is take away the replace. Repair the problem, even when it’s to establish why it is likely to be a false constructive, and alter the code.
4 Likes
I’ve to agree with you, however solely with the small modification above. 
For what its price, I attempted submitting the installer for overview as a false constructive after receiving the identical detection as erlend.itland.FS – Trojan:Win32/Casdet!rfn.
As a result of measurement of the installer archive it seems to be like Microsoft wont overview the file.
Why does this solely occur for among the home windows customers and never all? I put in it with no warnings and many others as have many others. (my home windows 10 set up is updated)
1 Like
The installer executable will not be the file that’s getting quarantined.
It’s the "SketchUp 2023.msi" file that’s extracted to path:"%LocalAppData%/Downloaded Installations/{03CB7BC4-3C9C-452B-BFD7-1C3616BE96BD}"
1 Like
Yeah, you’re proper I did suppose that as quickly as I’d posted. Suppose I’ll persist with the net model in the meanwhile till there’s an official replace.
VirusTotal report from the detected .msi: https://www.virustotal.com/gui/file/fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a/particulars
Although there aren’t any detections within the file itself, there are three bundled information and one dropped file that do have one VT vendor detection every (verify the main points tab):
Skp2VRML.DLL – signed (Jiangmin detects as Trojan.Generic.glofj)
MSI61DE.tmp – signed (SecureAge detects as Malicious)
an unnamed, unsigned CAB file (Jiangmin detects as Trojan.Generic.glofj)
ISRegSvr.dll – unsigned (SecureAge detects as Malicious)
That is probably what’s driving Defender to quarantine the .msi throughout the set up. It’s incumbent upon SketchUp to resolve these points with Microsoft if they’re false constructive detections. You must take any AntiVirus detection critically. It’s not unimaginable for real software program distribution channels to be compromised by exterior events (bear in mind Solarwinds?). Till that is resolved, we can not permit this on our community, and you need to train excessive warning when contemplating your choices.
3 Likes
@Mark @travis1 @colin @WebHorst
What is going on along with your false constructive submission to Microsoft please?
Home windows Defender continues to be detecting SketchUp 2023.msi as Trojan:Win32/Casdet!rfn
We’re displaying the SHA256 hash: fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a
Are you able to evaluate this with the hash worth that you’ve got from a neighborhood copy of the file from the Dev group to make sure that the file hasn’t been tampered with between publishing and supply?
We’ve got registered customers that depend on this software program, however are prohibited from putting in the most recent model attributable to this detection. Please hold us up to date right here. If it’s a false constructive, please point out what Home windows safety definitions replace bundle will resolve this after getting been knowledgeable by Microsoft (they need to inform you as soon as they’ve verified it as a false constructive).
1 Like
We are going to get again to you shortly. Thanks for elevating this up once more.
I’ll go away Travis to reply your details.
For the curiosity of different individuals who hit this concern, I hit it yesterday as properly. I discovered that I solely wanted to show off Actual-time safety, in Virus & risk safety settings, simply lengthy sufficient for the SketchUp installer to run. Then I turned it again on once more. I do know that’s nonetheless unlucky, but it surely felt safer than turning off all safety.
We’re reaching out to NotAnEndUser1 instantly.
@NotAnEndUser1 – We’ve got confirmed that the SHA256 hash of our inside growth model matches your hash worth.
Particularly, on a Digital Machine I put in SketchUp utilizing our growth model of the installer that grew to become the 2023.0.1 launched model, after which examined the “…AppDataLocalDownloaded Installations*SketchUp 2023.msi” file. Its SHA256 hash matches yours:
{
‘SketchUp 2023-DevBuild124onCleanVM.msi’: ‘fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a’,
}
That .msi file was then submitted for evaluation to VirusTotal, which additionally confirmed the hash and returned a end result saying “No safety distributors and no sandboxes flagged this file as malicious”
The SHA you’re seeing is our 2023 RC0 set up, so is a sound SHA.
We’ve got supplied our information to Microsoft Safety Intelligence to scan for false positives. The scans are displaying no detections. We are trying to escalate this to MSFT instantly. The web scans are scanning with definitions 1.385.793.0. Are you able to affirm which Defender model (10, 11 or Good Display) and definition is detecting the installer’s MSI. We are able to cross this info alongside to MS.
@Mark @travis1 @colin @WebHorst
It’s Microsoft Defender on Home windows 10 that’s detecting it on our finish
It has been detected as two totally different risk sorts (a trojan and a backdoor) throughout separate incidents
I’ve connected screenshots (in the event that they add accurately)
As you have got confirmed the hash match to the Dev model, I’ll permit AV to be momentarily paused throughout set up of the software program. It’s fascinating that there aren’t any VT distributors that detect it. I’m positive that the problem is with the unpacked information I detailed above which every have 1 detection in VT. Please hold us up to date when Microsoft have resolved the problem. Thanks on your attentive response.
