Detected as HackTool:Win64/ExplorerPatcher!MTB #3228
Comments
|
TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin: Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now. |
|
You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender. |
|
Also %APPDATA%\ExplorerPatcher |
|
microsoft is so mad ngl |
|
Thats not a false detection. They literally named it as "HackTool:Win64/ExplorerPatcher!MTB" because they don't like EP. |
|
It would be nice if EP deleted ep_setup.exe as soon as possible after an update, that would probably decrease the detection rate. |
|
It's used for uninstalling. It can't be deleted before then. |
Thank you, had to use this Also it looks like Windows 11 24H2 update might be a disaster because Microsoft is actively blocking StartAllBack as well. Not good, Microsoft needs lawsuit from someone with a decent anmount of money. |
|
Just want to post an update to this issue, looks like this will continue to haunt us forever even with local builds. From now on, users must have added the folders below to exclusions to prevent Defender from messing with EP while still keeping Defender active. Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"The reasons we're not setting the latest 66.4 build as release are:
So that's why we kept the latest release at 65.5 which is not flagged yet as of the time of writing. (66.4 is also not flagged) To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer which will be a simple GUI to select between release and pre-release version as well as optionally including the folders into exclusions which will be checked by default. And when they flag the PowerShell script, we can easily break the hash by modifying the script more like what MAS has been doing monthly. For updates, users will need to download updates through EP itself not by visiting the GitHub releases page anymore. What do you guys think? |
Powershell script is nice touch, I like that. |
|
great idea |
|
It is not a false detection, it correctly detects it as hacking tool ExplorerPatcher. |
Sounds great @Amrsatrio! More developers should implement this method. Where can we keep an eye out for your progress on the script? |
|
Hi, guys. Edit: |
|
its marked as Backdoor:Win32/Bladabindi!ml now earlier today it was calling it HackTool:Win32/Patcher!MTB |
|
Unlike most Trojan, Backdoor:Win32/Bladabindi!ml does not create a registry entry to run itself on Windows start-up. Instead, this threat will inject harmful code into valid processes including explorer.exe, iexplore.exe, firefox.exe, chrome.exe, opera.exe, and safari.exe. Trojan will load if user runs any of these programs. Then, the Trojan tries to contact a command and control (C&C) server through HTTP request on the same port 80, the same way users can connect to the Internet. During analysis, it was discovered that most of C&C servers that provides remote command for this threat are originating from .TW domains. Lastly, Backdoor:Win32/Bladabindi!ml attempts to gather cookie data from the infected computer. It is also interested in collecting Internet certificates and stores them under UserProfile folder. |
|
Here is what Kaspersky shows
|
I suppose they just don't want the place where they can push their products can be fixed as the user want, and they are ready to tell lies (false positives) to the users for this (legal?). Until someone will fee them for abuse of dominant position they will continue to milk everyone. IT companies like microsoft understand only judge hammers. Sorry for the offtopic. Good luck to EP. |
I would say the fact that the detection now explicitly includes "ExplorerPatcher" in its name is proof enough that this isn't about Microsoft not caring to fix a false detection, it's them actively and deliberately targetting Explorer Patcher, and trying to get people to stop using it. The generous interpretation would be that because it performs some deep modification of the shell, they deem it risky, and something that could lead to a lot of load on their customer support (do they have any?) if something breaks. A more cynical interpretation would be that they want to squash its potential of letting users choose how their operating system looks and behaves, including letting them get rid of unsolicited advertisement (in which case I suppose this could be something of interest to anti-trust bodies). |
|
Windows Defender should detect Browser:Win64/Chrome Browser:Win64/Firefox in near future. |
valinet
changed the title
|
Same here, even after following the PS script as a first time installer I am not able to install the program. |
|
Then disable Smart Screen and real-time protection ? |
That's windows smart screen blocking it. If you didn't configure it, and this is a work computer, your sys admins at work configured it that way. |
This is generally, not recommended as it opens up your system to all sorts of attacks. |
|
No its not. But you can turn it off, install, then turn back on. |
Yes that would work in many cases! |
Do not have permissions to disable the Smart Screen or real-time protection. Any other options? |
|
SmartScreen will still prompt you when trying to run an executable that is not signed. So this is perfectly ok. |
I think M$ closed your request... |
I just checked and its still open. There are 22 upvotes. If there are more experiences like yours then clearly something may be amiss .....! In any case, this requested change will not be forthcoming from MSFT through just one post on the feedback hub. I think we need a lot more upvotes and overall noise through various other feedback pipes. It's not impossible to imagine MSFT not changing their point of view! |
|
windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses tried to upvote via your link but got
had to upvote via this link instead https://aka.ms/AAse02b |
|
also upvoted native windows 11 cascade issue https://aka.ms/AAo78gw |
It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!! |
Link opens automatically the feedback hub app... but the result are the same. |
see this comment: #3228 (comment) |
|
Windows 11 24h2 without issues, Kaspersky didn't detect anything Version 22621.3880.66.6 |
This does not work, I get errors for all lines as follows:
And the same for all other lines |
|
The powershell script must run with elevated privileges. |
and others
For some reason, latest release of EP keeps getting false flagged by Windows defender as HackTool:Win64/ExplorerPatcher!MTB. I have to exclude this app's folder from Program Files manually to uninstall it properly. What is going on?
The text was updated successfully, but these errors were encountered: