{"id":300,"date":"2020-08-22T14:20:59","date_gmt":"2020-08-22T14:20:59","guid":{"rendered":"https:\/\/7dc.org\/?p=300"},"modified":"2020-08-25T06:25:12","modified_gmt":"2020-08-25T06:25:12","slug":"windows-defender-detects-ubuntu-20-04s-jq-package-false-positive-trojanwin32-casdetrfn","status":"publish","type":"post","link":"https:\/\/7dc.org\/index.php\/2020\/08\/22\/windows-defender-detects-ubuntu-20-04s-jq-package-false-positive-trojanwin32-casdetrfn\/","title":{"rendered":"Windows Defender detects Ubuntu 20.04&#8217;s jq package &#8211; false positive Trojan:Win32\/Casdet!rfn"},"content":{"rendered":"<blockquote><p>-bash: \/usr\/bin\/jq: cannot execute binary file: Exec format error<br \/>\n(23) Failed writing body<\/p><\/blockquote>\n<p>Windows 10 20.04 build 19041.450 <\/p>\n<p>Security Intelligence Version 1.321.1943.0<\/p>\n<p><strong>False positive.<\/strong> Detects signed jq bin from Ubuntu focal repo as <strong>Trojan:Win32\/Casdet!rfn<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/7dc.org\/wp-content\/uploads\/2020\/08\/jq_2-300x296.jpg\" alt=\"\" width=\"300\" height=\"296\" class=\"alignnone size-medium wp-image-301\" srcset=\"https:\/\/7dc.org\/wp-content\/uploads\/2020\/08\/jq_2-300x296.jpg 300w, https:\/\/7dc.org\/wp-content\/uploads\/2020\/08\/jq_2.jpg 436w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Edit: <a href=\"https:\/\/www.virustotal.com\/gui\/file\/bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd\/detection\" rel=\"noopener noreferrer\" target=\"_blank\">Several other AV Engines<\/a> also hit on it.<\/p>\n<p>Edit 25 Aug 2020: Microsoft accepted false positive report and &#8220;fixed&#8221; it in definitions update 1.321.2133.0 which now detects jq as <strong>Trojan:Linux\/CoinMiner.N!MTB<\/strong><\/p>\n<p>To be continued&#8230;<\/p>\n<p>Edit 2: It is <a href=\"https:\/\/github.com\/stedolan\/jq\/issues\/2175\" rel=\"noopener noreferrer\" target=\"_blank\">being discussed<\/a> on GitHub<\/p>\n","protected":false},"excerpt":{"rendered":"<p>-bash: \/usr\/bin\/jq: cannot execute binary file: Exec format error (23) Failed writing body Windows 10 20.04 build 19041.450 Security Intelligence Version 1.321.1943.0 False positive. Detects signed jq bin from Ubuntu focal repo as Trojan:Win32\/Casdet!rfn Edit: Several other AV Engines also hit on it. Edit 25 Aug 2020: Microsoft accepted false positive report and &#8220;fixed&#8221; it &#8230; <a class=\"read-more\" href=\"https:\/\/7dc.org\/index.php\/2020\/08\/22\/windows-defender-detects-ubuntu-20-04s-jq-package-false-positive-trojanwin32-casdetrfn\/\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,6],"tags":[],"class_list":["post-300","post","type-post","status-publish","format-standard","hentry","category-security","category-ubuntu"],"_links":{"self":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/comments?post=300"}],"version-history":[{"count":6,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/300\/revisions"}],"predecessor-version":[{"id":307,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/posts\/300\/revisions\/307"}],"wp:attachment":[{"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/media?parent=300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/categories?post=300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/7dc.org\/index.php\/wp-json\/wp\/v2\/tags?post=300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}