Windows Defender does not like recording service!?!

[Tony]

Windows 10, v1511, built 10586.318, today's update of Recording Service (malware, Trojan, etc...). What is the problem?

[Joshua06]

Is not a problem, is a false positive. Disable windows defender, install Recording Service, after install enable windows defender

Edited May 31, 2016 by Joshua06

[Tjod]

It seams only Windows Defender on Windows 10 (1511) has this bug.

(It effects multiple applications which are using Inno Setup like DVBViewer and RS)

 

Windows Defender on Win 8.1 and Windows Defender on Win 10 (14352) and on Windows Defender https://www.virustotal.com are reporting nothing.

 

Feel free to inform Microsoft about their mistake.

https://www.microsoft.com/en-us/security/portal/submission/submit.aspx

 

(I have abandoned to inform AV vendors about their bugs (false positive) if they don't affect me)

[JohnD]

Hi,

 

I'm having the same problem with DVBViewer Pro 5.6.2. I temporarily disabled Windows Defender in order to allow the download and installation, but as soon as I re-enable Windows ​Defender, it removes the installed software.

 

So it's not only the installer that Windows Defender objects to, but something in the product itself.

 

Cheers

John

[JohnD]

Sorry, I should have said also - that's on Windows 10 (the forum wouldn't allow me to edit my original post).

 

Interestingly, Windows Defender didn't object to the demo download and installation - only the Pro version.

 

Cheers

John

[hackbart]

Probably because the downloads from the members section are unique, while the demo version is not generated for each user individually. I dropped Microsoft a message a while ago, but they do not really respond in a manner they should...

Like Tjod said it would be extremely helpful if people would use the link above in order to inform microsoft about the false positive.

[JohnD]

OK, I've submitted the false-positive details to MS via that link.

 

If I understand correctly, it appears that something in my profile has produced a unique id or similar, giving the false positive? If that's the case, would it be possible to tinker with the profile to generate a different executable?

[HaraldL]

Every customer gets an individual installer (and included EXE file) with embedded customer ID or something similar. To identify who spreads cracked versions, just like MP3 music files with embedded watermarks. For some antivirus products it looks suspicious that several users have the same EXE file in the same folder with same version number but different hash (the cloud feature of many antivirus products send file hashes to a central database). And they falsely assume it could be a self-modifying virus they don't know or something. What is not the case of course.

 

If you submit your EXE to the antivirus vendor and it gets white-listed, then mine is still not because my EXE is different. Or vice versa. And with every new version of DVBViewer or RecordingService the "game" begins again from scratch.

Edited June 13, 2016 by HaraldL

[JohnD]

Hmm, good point.

 

So, apart from ditching Windows Defender and switching to something else, can anyone suggest a solution?

 

Edit - actually, of course, I guess I just need to set up DVBViewer as an exception.

 

Cheers

John

Edited June 13, 2016 by JohnD

[dgdg]

Same problem her with Windows 7 and MSE (Microsoft Security Essentials). It was quite a struggle to install the lastest version of DVBViewer without MSE removing the EXE.

It does'nt help to stop the anti-virus software. A soon as you active it and try to start DVBViewer the EXE is removed.

 

Kategorie: Trojaner
Beschreibung: Dieses Programm ist gefährlich. Es führt Befehle eines Angreifers aus.
Empfohlene Aktion: Entfernen Sie diese Software unverzüglich.
Elemente:
file:C:\Program Files (x86)\DVBViewer\DVBViewer.exe

 

In this case DVBViewer is suspicious because it's behavior.

[bjanuszs46]

The same problem here: Microsoft Security Essentials reports Trojan:Win32/Varpes.N!c in DVBViewer 5.6.2. As suggested above by John, I've edited the MSE exception adding both the whole directory with binaries and the installer file.

[hackbart]

The strange thing is that here under all systems i've tested (Windows 7, 8.1, 10) the defender does not warn about the binaries. Microsoft also asked me to provide a binary which does, maybe somebody could pm me a file?

[wappy]

Got the same problem under windows 10 latest insiders preview and latest DVBViewer, also tested on other pc that is running 8.1 without problems.

Edited June 15, 2016 by wappy

[JohnD]

The strange thing is that here under all systems i've tested (Windows 7, 8.1, 10) the defender does not warn about the binaries. Microsoft also asked me to provide a binary which does, maybe somebody could pm me a file?

 

I was going to pm you one of the files I have here, so...

 

I made copies of the installer and executable (which I have in a folder that Defender is excluded from), and scanned them with Windows Defender to confirm the message I get. I was then going to send one over to you with those details. However, Windows Defender said they were ok. So I downloaded the DVBViewer installer again, and Defender immediately deleted it claiming it was a trojan - "Win32/Varpes.N!cl".

 

So, when I explicitly present those files for scanning, no problem, but when I download the software, it is a problem. I know almost nothing of the way anti-virus s/w works, so I can't explain it, but maybe this is why you can't get any a/v warnings either.

 

I can still send you a file if it would be useful, but it seems it may not be.

 

Cheers

John