Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False Positive or Security Concern: Trojan Detection in Git for Windows #5284

Open
1 task done
keyboard3829 opened this issue Nov 27, 2024 · 3 comments
Open
1 task done

False Positive or Security Concern: Trojan Detection in Git for Windows #5284

keyboard3829 opened this issue Nov 27, 2024 · 3 comments

Comments

@keyboard3829
Copy link

  • I was not able to find an open or closed issue matching what I'm seeing

Setup

  • Which version of Git for Windows are you using? Is it 32-bit or 64-bit?
git version 2.47.1.windows.1
cpu: x86_64
built from commit: 2cd22437f64229935dc564db969cbcbfed5e9045
sizeof-long: 4
sizeof-size_t: 8
shell-path: D:/git-sdk-64-build-installers/usr/bin/sh
feature: fsmonitor--daemon
libcurl: 8.11.0
OpenSSL: OpenSSL 3.2.3 3 Sep 2024
zlib: 1.3.1
  • Which version of Windows are you running? Vista, 7, 8, 10? Is it 32-bit or 64-bit?
Microsoft Windows [Version 10.0.22631.4460]
  • What options did you set as part of the installation? Or did you choose the
    defaults?
Editor Option: Notepad
Custom Editor Path:
Default Branch Option: main
Path Option: Cmd
SSH Option: ExternalOpenSSH
Tortoise Option: false
CURL Option: OpenSSL
CRLF Option: CRLFAlways
Bash Terminal Option: ConHost
Git Pull Behavior Option: Merge
Use Credential Manager: Disabled
Performance Tweaks FSCache: Enabled
Enable Symlinks: Disabled
Enable FSMonitor: Disabled

Details

Hello Git for Windows team,

I recently encountered a security alert on my Windows system regarding a Trojan:Win32/Wacatac.H!ml detection. The alert was triggered by Windows Defender and flagged several Git for Windows-related files. These are the details of the detection:

Detected Item:
Trojan: Trojan:Win32/Wacatac.H!ml
Status: Quarantined
Description: This program is dangerous and executes commands from an attacker.

Affected Files/Registry Entries:
File: C:\Program Files\Git\git-bash.exe
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Git\Git Bash.lnk
File: C:\Windows\System32\Tasks\Git for Windows Updater->(UTF-16LE)
Registry Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\<task id>
Registry Key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Git for Windows Updater
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Git\Git Bash.lnk
Task Scheduler: C:\Windows\System32\Tasks\Git for Windows Updater

Thank you for your time and assistance.

image
@keyboard3829
Copy link
Author

Similar issue: #5281, not sure if this counts as duplicate.

@dscho
Copy link
Member

dscho commented Nov 28, 2024

Yeah, totally looks like a duplicate to me, too.

For the record, these files are built in clean CI machines. They are not flagged by Virus Total.

It is highly likely that this is yet another false positive.

@Ezzoubeir03

This comment has been minimized.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dscho @Ezzoubeir03 @keyboard3829