New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get-ChocolateyWebFile.ps1 detected as malicious from ESET #3423
Comments
@goshostoychev can you add the link to the Discord chat we had, to the description above? |
Done. |
Can you please clarify the exact steps that you are describing here? |
When the chocolatey folder in C:\ProgramData is deleted, and then we run the choco install script from 'https://chocolatey.org/install.ps1' to make a new installation of choco, our antivirus software detects the problematic file in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1" |
And it you delete this file, and attempt the re-installation again? And, just to confirm, you are executing:
Directly, in an Administrative PowerShell Session, as described in the installation page here. |
Yes, we are deleting the whole choco folder and we are re-installing it. The command we are executing is this:
The command is being ran as the built-in SYSTEM user. |
This is the response we got from the ESET support:
|
Can I ask that you be very clear about what you are referring to? Which folder are you referring to here? The chocolatey folder within the C:\ProgramData folder, or the chocolatey folder within the C:\Windows\Temp folder? |
We are deleting the C:\ProgramData folder, but when we try to re-install choco, our antivirus detects the problematic file in C:\Windows\Temp. |
Thank you for the clarification! During the fresh installation of Chocolatey CLI, the contents of the Chocolatey nupkg will be extracted to the TEMP folder, this is normal behaviour. What I would like to clarify further, based on the discussion that was had in Discord, is whether the file in the TEMP folder is correctly signed using the Chocolatey certificate. Can you please clarify if this is the case on your system? |
We have just tested a fresh installation again, and this time the Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious? |
No, no changes have been made on our side. |
About the response we got from ESET - are you going to take what steps are necessary to submit this file as false-positive to ESET, so that they can whitelist it, or make the needed adjustments to the file? And please, let us know of the result. |
@goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this. As such, I can going to close this issue, but feel free to respond to it if you have any other comments. |
Not an isolated incident. Weve had this flagged up too! |
@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on? |
It was ESET. |
See attached screenshot @gep13 |
@m4ttyj thank you for providing that screenshot. I am not sure how much help we will be able to be with this report. Chocolatey CLI does not install into that folder by default, and I am not familiar with RepairTech, so I can't speak to what process is being followed to place the files there. As a side question, was the outcome of this ESEET detection that the file in question was moved to some form of quarantine folder, or did it remain in place in that location? |
Hi RepairTech is SyncroMSP. It’s used to update default apps like adobe reader etc. However I thought it would be useful as it’s the same file and the same reaction (although the location is different) ESET deletes the file. |
Thank you for confirming, this helps with understanding what is going on, and answers some of the internal discussions that we have been having about this. |
Checklist
What You Are Seeing?
Hello,
About two hours ago (GMT+3), we started to receive thousands of alarms from our antivirus software, stating that it found a malicious file at C:/ProgramData/chocolatey/helpers/functions/Get‑ChocolateyWebFile.ps1. We checked the file signature, and at first, it says that the file is unsigned, and now, after we tried to make a clean install of chocolatey, the file status in "UnknownError". Have you recently made any changes on your side? What could be the possible reason for this?
Link to the Discord chat, where we had a discussion about the issue - https://discord.com/channels/778552361454141460/897097047801475103
What is Expected?
No alarm from the antivirus software about a malicious file from chocolatey.
How Did You Get This To Happen?
We haven't done anything to make this happen. You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"
System Details
Installed Packages
Output Log
Additional Context
No response
The text was updated successfully, but these errors were encountered: