Get-ChocolateyWebFile.ps1 detected as malicious from ESET

[goshostoychev]

Checklist

• I confirm there are no unresolved issues reported on the Chocolatey Status page.
• I have verified this is the correct repository for opening this issue.
• I have verified no other issues exist related to my problem.
• I have verified this is not an issue for a specific package.
• I have verified this issue is not security related.
• I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

Hello,
About two hours ago (GMT+3), we started to receive thousands of alarms from our antivirus software, stating that it found a malicious file at C:/ProgramData/chocolatey/helpers/functions/Get‑ChocolateyWebFile.ps1. We checked the file signature, and at first, it says that the file is unsigned, and now, after we tried to make a clean install of chocolatey, the file status in "UnknownError". Have you recently made any changes on your side? What could be the possible reason for this?
Link to the Discord chat, where we had a discussion about the issue - https://discord.com/channels/778552361454141460/897097047801475103

What is Expected?

No alarm from the antivirus software about a malicious file from chocolatey.

How Did You Get This To Happen?

We haven't done anything to make this happen. You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"

System Details

• Operating System:
• Windows PowerShell version:
• Chocolatey CLI Version:
• Chocolatey Licensed Extension version:
• Chocolatey License type:
• Terminal/Emulator:

Installed Packages

Chocolatey v2.2.2 Business
chocolatey 2.2.2
chocolatey.extension 6.1.3
chocolatey-agent 2.1.2
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-windowsupdate.extension 1.0.5
foxit 12.1.1.15289
KB2919442 1.0.20160915
puppet-agent 5.3.3

Output Log

Chocolatey is running on Windows v 10.0.19045.0
Attempting to delete file "C:/ProgramData/chocolatey/choco.exe.old".
Attempting to delete file "C:\ProgramData\chocolatey\choco.exe.old".
Command line: "C:\ProgramData\chocolatey\choco.exe" --debug --verbose
Received arguments: --debug --verbose
RemovePendingPackagesTask is now ready and waiting for PreRunMessage.
CountdownTask is now ready and waiting for PostRunMessage.
Terminal services setup not necessary for this session.
SynchronizeTask is now ready and waiting for PreRunMessage.
PackagesInProgramsAndFeaturesTask is now ready and waiting for PostRunMessage.
Sending message 'PreRunMessage' out if there are subscribers...
[Pending] Removing all pending packages that should not be considered installed...
[Synchronize] Updating packages with Programs and Features
[Synchronize] Currently only supports removals. Soon will handle updates.
Resolving resource PackageSearchResource for source C:\ProgramData\chocolatey\lib
chocolatey 2.2.2
chocolatey.extension 6.1.3
chocolatey-agent 2.1.2
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-windowsupdate.extension 1.0.5
foxit 12.1.1.15289
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3035131 1.0.3
puppet-agent 5.3.3
Sending message 'PostRunMessage' out if there are subscribers...
[Countdown] Determining how long until license expires
chocolatey 2.2.2
chocolatey.extension 6.1.3
chocolatey-agent 2.1.2
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-windowsupdate.extension 1.0.5
foxit 12.1.1.15289
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
puppet-agent 5.3.3
[Programs & Features Package Sync] Ensuring all installed packages that don't have software natively installed are not listed in Programs and Features.
chocolatey 2.2.2
chocolatey.extension 6.1.3
chocolatey-agent 2.1.2
chocolatey-compatibility.extension 1.0.0
chocolatey-core.extension 1.4.0
chocolatey-dotnetfx.extension 1.0.1
chocolatey-windowsupdate.extension 1.0.5
foxit 12.1.1.15289
KB2919355 1.0.20160915
KB2919442 1.0.20160915
KB2999226 1.0.20181019
KB3035131 1.0.3
puppet-agent 5.3.3
Exiting with 1

Additional Context

No response

[pauby]

@goshostoychev can you add the link to the Discord chat we had, to the description above?

[goshostoychev]

@goshostoychev can you add the link to the Discord chat we had, to the description above?

Done.

[gep13]

@goshostoychev said...
You can reproduce the issue by deleting the chocolatey folder in ProgramData and run the choco install script. This time, our antivirus said that the "infected" file is located in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"

Can you please clarify the exact steps that you are describing here?

[goshostoychev]

When the chocolatey folder in C:\ProgramData is deleted, and then we run the choco install script from 'https://chocolatey.org/install.ps1' to make a new installation of choco, our antivirus software detects the problematic file in "C:/WINDOWS/TEMP/chocolatey/chocoInstall/tools/chocolateyInstall/helpers/functions/Get‑ChocolateyWebFile.ps1"

[gep13]

And it you delete this file, and attempt the re-installation again?

And, just to confirm, you are executing:

Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

Directly, in an Administrative PowerShell Session, as described in the installation page here.

[goshostoychev]

Yes, we are deleting the whole choco folder and we are re-installing it. The command we are executing is this:

Set-ExecutionPolicy Bypass -Scope Process -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

The command is being ran as the built-in SYSTEM user.

[goshostoychev]

This is the response we got from the ESET support:

From time to time we have cases of this kind of False Positive from ESET. It's completely normal, most likely a new update with definitions/signatures was released and that's where the detection itself comes from.

If you think it's a False Positive, Chocolately colleagues, as well as yourself, can come forward to ESET and report the False Positive. Accordingly, ESET colleagues have a whole page to help with this process: https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the - eset-lab

Basically within the day, the following reporting of such issue is fixed, so you can file a similar False Positive report in the manner described in the article, so that the developers can fix the anomaly.

[gep13]

@goshostoychev said....
Yes, we are deleting the whole choco folder and we are re-installing it

Can I ask that you be very clear about what you are referring to?

Which folder are you referring to here? The chocolatey folder within the C:\ProgramData folder, or the chocolatey folder within the C:\Windows\Temp folder?

[goshostoychev]

We are deleting the C:\ProgramData folder, but when we try to re-install choco, our antivirus detects the problematic file in C:\Windows\Temp.

[gep13]

Thank you for the clarification!

During the fresh installation of Chocolatey CLI, the contents of the Chocolatey nupkg will be extracted to the TEMP folder, this is normal behaviour. What I would like to clarify further, based on the discussion that was had in Discord, is whether the file in the TEMP folder is correctly signed using the Chocolatey certificate. Can you please clarify if this is the case on your system?

[goshostoychev]

We have just tested a fresh installation again, and this time the
'C:\ProgramData\chocolatey\helpers\functions\Get-ChocolateyWebFile.ps1' in comes with a valid signature.

Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?

[gep13]

@goshostoychev said...
Did you made any changes your side or maybe after the next update of the antivirus definitions of ESET, the file is no longer marked as malicious?

No, no changes have been made on our side.

[goshostoychev]

About the response we got from ESET - are you going to take what steps are necessary to submit this file as false-positive to ESET, so that they can whitelist it, or make the needed adjustments to the file? And please, let us know of the result.

[gep13]

@goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this.

As such, I can going to close this issue, but feel free to respond to it if you have any other comments.

[m4ttyj]

Not an isolated incident. Weve had this flagged up too!

[gep13]

@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?

[m4ttyj]

@m4ttyj can you confirm what anti-virus you are using, and what file it was triggering on?

It was ESET.
I’ll get you the logs from the portal so you can see what it picked up, but we are experiencing the same as above.

[m4ttyj]

See attached screenshot @gep13

[gep13]

@m4ttyj thank you for providing that screenshot.

I am not sure how much help we will be able to be with this report. Chocolatey CLI does not install into that folder by default, and I am not familiar with RepairTech, so I can't speak to what process is being followed to place the files there.

As a side question, was the outcome of this ESEET detection that the file in question was moved to some form of quarantine folder, or did it remain in place in that location?

[m4ttyj]

Hi

RepairTech is SyncroMSP. It’s used to update default apps like adobe reader etc.

However I thought it would be useful as it’s the same file and the same reaction (although the location is different)

ESET deletes the file.

[gep13]

@m4ttyj said...
ESET deletes the file.

Thank you for confirming, this helps with understanding what is going on, and answers some of the internal discussions that we have been having about this.