Windows Defender detects latest release as Suschil!rfn trojan

[suano-noma]

Windows Defender is detecting the latest release (file uploaded in November) as a trojan. Virustotal shows no detections; this is probably a case of needing to submit a false positive report on https://www.microsoft.com/en-us/wdsi/filesubmission under the software developer option.

[andrews05]

Hi, thanks for reporting this. I'm just going through the submission process but need a few more details:

1. The version of Defender (i.e. Win 10 or Win 11).
2. The "Detection name". Learn how to see the list of detected threats on Microsoft Defender Antivirus.
3. The "Definition version". Learn how to check the definition version on Microsoft Defender Antivirus.

[suano-noma]

Hi, this is on Windows 11 Pro.
The detection name was Trojan:Win32/Suschil!rfn and the "affected item" entry in detection history is as follows:

webfile: C:\Users\user\Downloads\EV_Nova_Community_Edition.zip|https://objects.githubusercontent.com/github-production-release-asset-2e65be/698533497/64cb0556-4fe3-4f1b-933e-adc220c14168?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20250113%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250113T152703Z&X-Amz-Expires=300&X-Amz-Signature=60601e9ad60c096dcb9e9d33ffdee42d2669baca4ed2df216f847ca46314e5fa&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3DEV_Nova_Community_Edition.zip&response-content-type=application%2Foctet-stream|pid:35784,ProcessStart:133812556266220085

Security intelligence version is listed as 1.421.1341.0 and was updated this afternoon shortly before the download/detection.

edit: It's worth mentioning that this issue has occurred several times in the past with projects which bundle a Python installer like pyinstaller/nuitka, and from the sound of things there's some Python involved in the keygen part of this project, so that could be the cause if one of those tools is used or included?

[andrews05]

Thanks for that. I've submitted it now:

Curious that current detection says no malware detected.

The python keygen that was once posted on Reddit is not part of CE in any manner. It instead bypasses the registration requirement in the same manner as the old "cracked" version.

[andrews05]

Final response:

Our scanners show no positive detection, and we have no telemetry indicators for the file(s) submitted either. As such, this submission will be closed with no further action pending.

I'm not sure why this doesn't match what users are seeing. Do I need to submit the entire zip package instead of just the exe?

[suano-noma]

I'm still getting the alert when I attempt to download the archive, so maybe it's the zip file which needs to be submitted?

[andrews05]

Right, I've made a new submission with the full zip and it's indicating malware now. Hopefully they can verify that it isn't.

[andrews05]

Well I made a number of additional submissions, including older zip files and exes. All were closed with no malware detected with the exception of the full game zip file "EV Nova Community Edition.zip". This submission indicated that the zip was malware but somehow failed to identify any files within the zip that were malware. No further analysis was performed as the submission was "rejected due to too many files".

Not sure what else to do at this point...