Tweaking.com Support Forums

Main Forum => Tweaking.com Support & Help => Topic started by: Alchemist on March 16, 2018, 12:38:38 PM

Title: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Alchemist on March 16, 2018, 12:38:38 PM
I have just had Windows Repair Pro quarantined and removed by Windows Defender as a severe risk of infection by Trojan:Win32/Critet.BS
I have repeatedly downloaded and tried to reinstall but the effect is the same.
I presume that this is a false positive but can you confirm ?
Better to be safe than sorry.
Any plans to look into this issue, if it is a real one, and liaise with Microsoft to prevent a recurrence and issue an update ?
I really rely on Windows Repair.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 16, 2018, 02:20:50 PM
A little while ago my Norton Security kicked out the .exe of Windows Repair, even though it was already installed and I had to have it whitelisted before I could install it again.

That was done by adding www.tweaking.com to the whitelist, but while this can be done in Windows Defender, it requires a file or folder.

https://support.microsoft.com/en-us/help/4028485/windows-10-add-an-exclusion-to-windows-defender-antivirus

So you may need to boot up into Safe Mode with Networking to download the program then see if you can open Windows Defender in that mode to add it as an exclusion.

I've just downloaded 4.0.15 and Norton said it was safe, so it is definitely a false positive.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 17, 2018, 11:38:56 AM
I have some information that may shine some light on this issue. I run Win7 PRO with Microsoft Security Essentials.

Shane posted v4.0.15 at 8:20 P.M. 3-14-18

I downloaded and installed v4.0.15 early A.M. of 3-15-18 with no virus detection problems at all. The v4.0.15 worked fine.

UNTIL  .....

Microsoft issues MSSE virus update v1.263.672.0 which I downloaded and installed this morning, A.M. 3-17-18 ...

AND THEN everything went to hell with v4.0.15, MSSE showing the Trojan Win32/Critet.BS virus.

I could not run or re-download v4.0.15 after the MSSE v1.263.672.0 update.

HOWEVER, there is NO problems with Windows Repair v4.0.14. I re-install it and am using it now until SHANE can FIX THIS !!!

Thanks,

fabrikator
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: technet on March 17, 2018, 03:53:57 PM
Getting the same report here. It really is a false positive?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 17, 2018, 04:07:59 PM
Getting the same report here. It really is a false positive?

After reading the first report, I downloaded the program, although I already have the Pro version and Norton Security didn't snag anything which I believe it would have had there been something there.

You will need to whitelist it and contact MS to sort out their Definitions for their AV programs.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 17, 2018, 04:23:12 PM
@ fabrikator - I'll pass this on about 4.0.14 not being affected by this.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 17, 2018, 04:32:06 PM
I would have thought that that shouldn't be our job, we just purchased the license.  I had the impression that the program is supposed was developed with Microsoft's blessing.  It's not right for every user to have to struggle with Microsoft to make sense of it.  I thought the idea was you do the work and we pay for the license.  So now we're supposed to multiply efforts between us all when we have no idea what is going on.

I don't want to whitelist it because maybe how do I know the program doesn't actually have a Trojan in it?  As it is I'm getting paranoid with all this cyber hacking.  E.g., from what I read I'm pretty sure Kaspersky virus checker seems to have been hacking user's computers on behalf of Putin (the US govt is barring its use)

I just got the trojan message from Microsoft Defender today, I bet there will be lots more than already reported it.  Isn't it Tweaking.com's job to make sure that we are safe?

Rani
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 17, 2018, 04:44:01 PM
Read Reply #1 and Reply #2.

I've passed on what fabrikator had found to my Support which will be passed onto Shane.

As you will see from my Reply #1 I've also once experienced an AV program conflict which eventually went.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: coover on March 17, 2018, 04:54:19 PM
After much consternation while trying to place the portable version of 4.0.0.15 onto my hard drive and then pinning a shortcut on the taskbar, my preferred method of installation, I did this ... 1. I turned off Defender "Real-Time Protection" 2. Downloaded the portable version of 4.0.0.15, 3. Extracted the download, 4. Placed the extracted file in the location I prefer, 6. Pinned the .exe onto the taskbar, and 7. Excluded the 4.0.0.15 folder in the location where I placed it.

But I agree with ergo (above) who said that the user should not have to go through all this hassle in order to use the software. Tweaking.com should have tested the software against all the major AV applications before releasing it. That said, however,  fabrikator mentioned that defender did not catch the (in this case) false positive at the time it was released. It was only after an Defender update that the false positive was reported. So, in this case, the problem was not with Tweaking.com. But the problem did become tweaking.com's when the false reports started coming, and they must fix the problem as soon as possible. I expect a new version, 4.0.0.16 with the fix out soon.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 17, 2018, 05:16:15 PM
I disagree - the problem is with WD and MSE Definition updates and MS should be fixing it.

When an AV program starts blocking a legit program then the protocol is to report that to the AV vendor as I did when I had problems with Norton kicking it out.

Norton has also blocked AdwCleaner for me but that soon passed as the Definitions were updated, which may be the case after the next WD and MSE updates.

However, I have passed this on.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 17, 2018, 06:38:35 PM
The cause of all of this is Microsoft Security Essentials & Microsoft Defender virus update v1.263.672.0 which came out this morning 3-17-18.

Yesterday Windows Repair v4.0.15 was FINE but after Microsoft's v1.263.672.0 update it shows the Critet virus in the WinRepair.exe file.

This is a Microsoft ERROR in their virus defs. Strangly, Windows Repair v4.0.14 remains clean.

I had the same thing happen several months ago with Hoverdesk RegCleaner and Avast's Piriform CCleaner. Both were fine until

Microsoft's "Weekend Warriors" released a virus update. Sadly, it took Microsoft 2 months to fix it.

It would seem to me that Shane could do some scripting magic in a new version and fix this, but I don't know.

One thing I DO know is that if you whitelist an .EXE file after it has been flagged with a virus, false positive or not, your are taking a big

chance.  That's my 2 cents worth.

fabrikator
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: coover on March 17, 2018, 07:49:16 PM
Yes, I believe MS should fix their application as soon as they can, but I would not rely on them to do so. If making changes to 4.0.15 is relatively easy, I would not wait for MS to do their thing. If MS takes a week to fix it, Windows Repair 4.0.15 is dead in the water for those folks using Defender, and Tweaking.com's chances to sell Professional  Versions of this software are lessened, even after MS makes the fix, as some folks will decide their free trial failure is enough not to come back for the next version.   
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 17, 2018, 11:03:57 PM
Harking back, though. Why on earth is this our problem to struggle with?  We pay the license, they provide the service.  Telling every one of us to  struggle with  Microsoft is ridiculous - it dramatically multiplies the effort required compared if Tweaking just dealt with the problem itself.  How do you expect customer loyalty if you just dismiss us as "you're on your own" - over a problem that a large number of people are facing. 

I can understand if this takes you some time to deal with, but don't give us homework you don't want to deal with!
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 18, 2018, 01:45:09 AM
Harking back, though. Why on earth is this our problem to struggle with?  We pay the license, they provide the service.  Telling every one of us to  struggle with  Microsoft is ridiculous - it dramatically multiplies the effort required compared if Tweaking just dealt with the problem itself.  How do you expect customer loyalty if you just dismiss us as "you're on your own" - over a problem that a large number of people are facing. 

I can understand if this takes you some time to deal with, but don't give us homework you don't want to deal with!

A few years back McAfee released a Definitions update that blocked Internet connectivity - are you saying that the ISPs should have changed the way they delivered broadband - because that is the equivalent of the now WD and MSE Definitions vs WR.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: grimley on March 18, 2018, 11:25:34 AM
Removed .15 and tried to install .14.
Installer reports an error (pointing to the install directory).
Defender barfs.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 18, 2018, 11:29:19 AM
I think you misunderstand how the entire antivirus thing works. Microsoft, Malwarebytes, Avira - all of them have false positive. Hell. Malwarebytes detected some of my photos the other day as virus (which BTW isn't even possible). They do it as a matter of course.

The dirty secret is some company's - the big ones  - are white listed. They can do whatever they like and release whatever they like. That is dangerous. Small companies are not - we use something called code signing which validates our product - but sometimes that is plain ignored, missed and we get  "false positive" detections

The antivirus companies further more depend on from known lists - most of which are t the same. Meaning they all the detect the same known thing. Hence., they realty detect something that isn't known -- until someone discovers it and it comes on the list.

To try and get around this they use heuristics  that try and uses that something may be in the realm of a viral infection -- that leads to more false positives.  Don't believe me, read it from one of the best utility programmers ever. https://www.nirsoft.net/false_positive_report.html  This is why you see "generic" or "Trojan.gen" a lot. meaning they have no idea what this is and it could be something generic -- or nothing.

There is no way for us to know when and if someone will detect our software as a false positive -- and it happens a lot. We have to wait for them to make a mistake and report it to them. Then wait for them to fix it. Which sucks for us.

Hell I wrote a company called cylance like 3 months ago and they still haven't fixed it. I suppose that is why no one uses cylance. Clearly, they don't keep pace.
 
In this case Microsoft plain screwed up something and detect a crapload of software with the same thing.
https://forum.kerbalspaceprogram.com/index.php?/topic/172357-trojanwin32critetbs/

We reported it, they fixed it - I don't expect and apology from them. But that is how the system unfortunately works. It sucks, but that is what it is.

We do our job correctly and produce quality clean software. If you don't want to white list it, that's your call. Just wait for the next update and we will be cleared.   But you, as consumers have to take a stand to help fight the false positive problem.  Authors have been fighting it to no avail.


I would have thought that that shouldn't be our job, we just purchased the license.  I had the impression that the program is supposed was developed with Microsoft's blessing.  It's not right for every user to have to struggle with Microsoft to make sense of it.  I thought the idea was you do the work and we pay for the license.  So now we're supposed to multiply efforts between us all when we have no idea what is going on.

I don't want to whitelist it because maybe how do I know the program doesn't actually have a Trojan in it?  As it is I'm getting paranoid with all this cyber hacking.  E.g., from what I read I'm pretty sure Kaspersky virus checker seems to have been hacking user's computers on behalf of Putin (the US govt is barring its use)

I just got the trojan message from Microsoft Defender today, I bet there will be lots more than already reported it.  Isn't it Tweaking.com's job to make sure that we are safe?

Rani
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 18, 2018, 11:39:22 PM
Boggin, are you serious?  Is it really that easy for you to write all of us off, we're on our own, have to fend for ourselves even though you're talking about possibly hundreds of people struggling with microsoft over something that shouldn't be our problem to begin with?

How about this.   I don't want to waste my time over something that is  not my responsibility.  So how about if you all offer us refunds for the remainder of our subscription?

Microsoft wiped out the software.  Even if I wanted to, I don't think it will let me reinstall it.  And why would I want to, when I'm not sure it's a trojan?

Why is it my job - along with everyone else - to deal with this?

And why should I trust you enough to whitelist you?

So I'd say, rather than blowing us all off - and especially given that our software has been eviscerated - why don't you owe all the subscribers with this problem their money back for the remaining time?

I don't care about the money, it's about acting like a decent business that is willing to deal with its own problems with Microsoft.

*.* the way I read the messages from the program, I had the impression that Tweaking was joined at the hip with Microsoft.

Jeez.  Do you think we have so much time to struggle with something that's not worth our time?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 19, 2018, 01:45:44 AM
@ ergo - I've removed your duplicate post, but haven't you read or understood a word that jpm has posted.

BTW - I'm only a volunteer on this forum and have no authority for the administration of any of Tweaking.com's programs - and while it has been known for MS techs to have used the repair program, they are not "joined at the hip" and are two different companies.

When Norton kicked out my Pro version I contacted Norton and they white listed it for me and I left it white listed for about a month before removing it from the white list to see if it still conflicted with it - it didn't.

I don't know if Norton moderated their Definitions or the newer Definitions moved on so that it no longer thought it a threat, but MS won't do anything about it if they don't know about it - which is why I've advised to contact MS.

When my Pro version updated to 4.0.15 through the program, there was no such alert and when I did a manual download, Norton reported it as safe, which is good enough for me.

The fault is not with the program but with MS, so that is who you need to contact to address this other than adding it to the white list.

Tweaking.com is quite safe - read jpm's post.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 19, 2018, 08:22:27 AM
People have - because of good marketing - the belief that antivirus companies keep them safe and are perfect.  I have 20 years in the software business that says that they are mainly full of crap. :)

Antivirus apps are more and more becoming modern day scareware and less and less a protection software.

But to restate what I said, false postives with ALL antivirus apps are commonplace.  When it happens, it is incumbant on the author of the software to notify the AV company detecting them to fix it.

In this case, from reading about other software the was hit with the "Critet.BS " designation (Seems BS stands for BullShit) - it looks like Windows Defender was tagging  that used certian funtions in VB.net programing language.  For those who don;t know, VB.net is a micorosft programming language.

How do you hold Tweaking.com responsible for that?

Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 19, 2018, 03:53:11 PM
Removed .15 and tried to install .14.
Installer reports an error (pointing to the install directory).
Defender barfs.

Where did you get the download for .14 ?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 19, 2018, 10:47:24 PM
OK all you tweaking virus experts, I think I'm back in the right place now. I hit the wrong button last time and double posted. Sorry !

We can all carry on about all the virus protection programs giving out false positives, but I'd like Shane or jpm to ponder this :

Why does v4.0.15 get flagged for the Critet virus but v4.0.14 DOES NOT  ??  Something ain't right

And to Boggin, Major Geeks should have v4.0.14. It works just fine.

fab

Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: markus5664 on March 20, 2018, 09:26:27 AM
I have Two desktops both up to date and running windows10 and using windows defender anti-virus. My xps420 has no problem with 4.0.15 however, my xps8700 does. Both have the latest updates.(1.263.824). I have submitted the v4.0.15 file to Windows Defender Security Intelligence and am currently awaiting the result analysis. I believe trojan:win32/critet.bs may very well be a false positive. If I try to run 4.0.14 I still show a false positive on my 8700 however, if I download 3.9.32 I have no problem with it. I hope Defender can give a definitive cause.  My problems began on 3/17/18 with windows defender security update 1.263.730, prior to that the new 4.0.15 ran great.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 20, 2018, 09:37:23 AM
Thanks for your input to this thread.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: markus5664 on March 20, 2018, 01:15:57 PM
Received clean bill of health from Defender.  Updated to 1.263.830.0 per instructions however, still fails showing error with irsetup.exe, defender does not like this installer. In safe mode w/networking I can download program and run it with no problem. I can also shut down defender's malware and use malwarebytes instead. I choose not to white list and will wait to see what happens. I will use safe mode w/networking to run tweaking which is how you are to run it in the first place.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 20, 2018, 11:15:45 PM

A few years back McAfee released a Definitions update that blocked Internet connectivity - are you saying that the ISPs should have changed the way they delivered broadband - because that is the equivalent of the now WD and MSE Definitions vs WR.

Sorry, Bloggin, I probably referred to the wrong company.  I meant to say the Kaspersky virus program is considered unsafe. It's a rather bizarre story. The U.S. government is now banning its use in the federal government.  Ironically, it was Michael Flynn (who had the honor of being fired as a security expert by both Obama and Trump) who a number of years ago flagged it as unsafe and increasing the risk of being hacked.  After Obama fired him, Flynn then started working for Kaspersky - who among other things is closely tied to Putin.  A couple of months ago 60 minutes interviewed Kaspersky in Russia about the evidence they were hacking the US.   What a perfect scheme - sell a virus checker that scans every file in your computer.

And Boggin please don't think I am blasting you over what to do about the virus problem.  Windows 10 won't let me install Tweaker and I am absolutely not comfortable white listing a program given examples such as the one I mentioned (Kaspersky).   I'm not saying that you should be responsible, just that we should not be responsible.   I can't install or use Tweaker, but I'd just let the license lapse rather than spending a ton of time dealing with Microsoft over the issue.

I'm getting confused by this user interface, I hope I haven't sent a double - I can't find my first response
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 21, 2018, 02:27:38 AM
I've removed your duplicate post.

There has always been the doubt that Kaspersky could be spying and even though there are denials from Kaspersky, I would think that if Putin ordered them to do it, there would be very little they could do to refuse given the power he has.

I don't have Kaspersky installed - I use Norton Security but have found the Kaspersky Rescue Disk very helpful in the past and while it scans the files for infections, it also seems to have some healing attributes.

As for MS and WR, it is my understanding from jpm's post that he or Shane will be contacting MS about this.

While it could be an inconvenience, you could do what Marcus5664 plans to do and that is to download and run the program in Safe Mode with Networking if/when you need to use it - it isn't or shouldn't be a program that you need to run regularly.

AFAIK it is a life time licence and not annual, so it won't expire.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 23, 2018, 08:19:41 AM
OK all you tweaking virus experts, I think I'm back in the right place now. I hit the wrong button last time and double posted. Sorry !

We can all carry on about all the virus protection programs giving out false positives, but I'd like Shane or jpm to ponder this :

Why does v4.0.15 get flagged for the Critet virus but v4.0.14 DOES NOT  ??  Something ain't right

And to Boggin, Major Geeks should have v4.0.14. It works just fine.

fab

We do not know exactly why. It could be something as simple as pattern matching. I remember a friend had his credit card number detected as a virus because part of the numbers matched the hash on a known virus - true story. Heck Malwarebytes detected my personal photography as a virus a couple months back. Explain that one.

In this case a LOT of files were detected from a LOT of companies. All we know is that they all use VB -- so it had something to do with that.  But exactly what, no idea.  Our product is 100% clean. They were wrong and they aren;t about to tell us why they were wrong for all the reasons you would suspect. It certianly isn't something we can prepare for either. Someone at MS made a mistake. They fixed it. But that is exactly how the antivirus world works.  Happens ALL the time.

It is better to have an AV than nothing - but really it is a lot of security theater.



Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 23, 2018, 09:59:55 AM
So have MS fixed this now ?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 23, 2018, 01:53:17 PM
I have been following this thread ever since v4.0.15 was released and have posted to it several times. I run Windows 7 PRO with Microsoft

Security Essentials as my virus protector. I think we can all agree that this is a Microsoft Security Essentials error, however after about a

dozen MSSE virus updates, v4.0.15 is still being flagged with the virus. Here are my latest questions :

     1.  Has Tweaking.com contacted Microsoft about this issue, and id so, is there a fix ?

     2   Why is it that only v4.0.15 is flagged and NOT v4.0.14 ? What is different ?

Thanks,

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 24, 2018, 10:34:18 AM
Yeah - we contacted them about 3 seconds after we found out. I believe it took them 6 hours to responded that it was fixed. There was never anything to do with anything on a user end. It was their mistake on matching.

No they never told us why, but it wasn't just our program it was a number of them around the web.

I would love it if they told us why - but it was most likely a coding error on their end and if they admitted it they would open up to legal issues.  Especially since what I have been able to divine is the programs that were flagged all used api calls to VB -- which is Microsoft's programming language. So essentially Defender flagged VB.  So whoever or however they made the error - it will never come out of Redmond. :)

Each time we release the exe is recompiled. So the 4.0.14 would have a completely different hash and "look" than 4.0.15.  When we release 4.0.16 odds are something will flag it as a false positive after release. It may not be defender, but it will be something. This shit happens all the time with every one of the antivirus apps - it is the bain of the software authors existence. It's annoying but part of how the security industry works.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 24, 2018, 10:37:41 AM
Well fabrikator was still getting the error yesterday with MSE - see post before yours.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 24, 2018, 01:09:58 PM
And I am still getting the Virus error today.

Let me clarify, I am talking about Microsoft Security Essentials .... NOT Windows Defender.

I just now, 2:53 P.M. CDT, 3-24-18, downloaded the latest Microsoft Security Essentials virus update v1.263.1070.0, and it is still flagging

v4.0.15 with the Trojan Win32/Critet.BS virus, so Microsoft has obviously NOT fixed anything !

Just letting you guys know what is still going on.

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 24, 2018, 04:45:30 PM
Dang. It is indeed cleared by MS but via virus total and their own site ( see attached)
https://www.virustotal.com/#/file/55d0bd20f9f8b28e6385bc530c25fdd25f094dc32b4834ef3f33d348a6cb8bfc/detection

Defender and essential use the same definitions.  I'll write and see what they think. Could be your didn't update?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 24, 2018, 04:50:18 PM
Just wrote in to let them know that defender is OK but essentials is still a problem.  We will see if that helps. They tend to be pretty quick/
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 24, 2018, 06:05:51 PM
Just updated to MSSE virus update v1.263.1075, 7:42 P.M. CDT.

A picture is worth a thousand words.

See Attachment

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on March 25, 2018, 12:31:47 AM
I tried clearing MSE quarantine of the false trojan on Friday, removed the ignore rule that I'd added, uninstalled WR 4.0.15 and attempted to reinstall but MSE still flagged it as a trojan, so had to tell MSE to ignore it again. I'd already checked VirusTotal to see that the file was safe. I installed the very latest MSE updates before attempting reinstallation. I guess I'll have to wait for the next iteration of Windows Repair and see what happens but in the interim I'm using it on the assurance that it's a false positive. I'm using Windows 7 SP 1
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 25, 2018, 04:03:54 PM
I literally just got another notification from them saying it was cleared. I reported it on Essentials as well.  Maybe their essential definitions run behind or they missed it the first time. But it should clear up soon.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 25, 2018, 05:07:34 PM
With latest MSSE virus update v1.263.1128.0, 6:40 P.M. CDT, 3-25-18.

Still being flagged. Somebody, probably Microsoft, is lying to everybody.

See attachment

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on March 26, 2018, 01:23:32 AM
I realise it's a false positive but MSE is still rejecting WR 4.0.15 even after updating the definitions this morning. I'd previously told MSE to ignore the false positive and installed 4.0.15 anyway but uninstalled WR this morning, cleared all references to it in MSE and tried a new install but MSE still stopped it until I'd asked it to ignore the false positive again.

MSE
Antimalware Client Version: 4.10.209.0
Engine Version: 1.1.14600.4
Antivirus definition: 1.263.1150.0
Antispyware definition: 1.263.1150.0
Network Inspection System Engine Version: 2.1.14600.4
Network Inspection System Definition Version: 119.0.0.0

Windows 7 Home Premium SP1 64x

Malwarebytes Premium 3.4.4
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 26, 2018, 03:39:15 PM
This is strange because the submission system says it is clean.... and it is.

Clearly they are having some sort of definition issue. I will try and get some clarity.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on March 26, 2018, 10:45:39 PM
Thanks, JPM -  it's odd, I agree. Malwarebytes Premium doesn't have a problem with it, either. I'm surprised that there aren't more posts about this on this forum, which I would have thought there would be if it was a widespread problem. Any way it could be caused by specific factors on the affected PCs? 
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: StephanP on March 27, 2018, 05:13:15 AM
... I'm surprised that there aren't more posts about this on this forum, which I would have thought there would be if it was a widespread problem.

I'm on Windows 10 (1709 with latest updates) and the standard Windows Defender flags the main executable as a positive.

Possibly related to this thread: Safe Mode = No Go (http://www.tweaking.com/forums/index.php/topic,5680.msg41749.html#msg41749) , I experienced the following just this morning:
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 27, 2018, 09:14:53 AM
MS have supposed to have fixed it for WD.

You can still download the program and run it in Safe Mode with Networking, bearing in mind that from Win 8/8.1 Windows disables wireless in that mode, although it can be re-enabled.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 27, 2018, 09:17:50 AM
I JUST updated to the latest 1.263.1584.0 def from Microsoft  and it is showing as clean. Finally!

Our best guess -- and it is just a guess but a guess from experience - is that there was something wrong with the defs over the weekend and they fixed it. Then it looks like they rolled it back - then fixed it again. Probabaly having to fix the fix. But, now it looks fixed. ;)

Problem is not everyone updates at the same time and it can take a few days to roll out.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 27, 2018, 11:50:01 AM
OK, jpm 

I tried v4.0.1.5 again with MSSE update v1.263.1584.0 AND newer v1.263.1587.0 and I am STILL getting flagged.

I'm done posting screen shots, you will just have to take my word for it.

SO ... let us see if we are on the same page  ... it does make a difference.

I use Windows 7 PRO with Microsoft Security Essentials ... NOT Windows Defender

What are YOU using to get an "all clear"  ??

Please reply

Thanks,

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 27, 2018, 12:53:33 PM
Yeah - I wrote them separately on essentials.  Seems that one takes longer
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: StephanP on March 27, 2018, 11:17:31 PM

I managed to place Repair_Windows.exe on Defender's exceptions list.
Windows Repair is now fully functional again.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 28, 2018, 08:38:40 AM
arrrrgh

This is becoming an issue for a number of people.
https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/false-positive-by-windows-defender-win32critetbs/13dc2ef4-2b24-40ca-87d4-74f35b0b79bf
https://github.com/processing/processing/issues/5442
https://www.reddit.com/r/KerbalSpaceProgram/comments/84mcqc/windows_defender_finding_trojan_in_ksp_files/
https://github.com/shadowsocks/shadowsocks-windows/issues/1746
https://github.com/fsprojects/Paket/issues/3121
https://www.onehouronelife.com/forums/viewtopic.php?pid=3521
There are a lot more.


All the authors are getting the same issue. The file comes up clean in the submission system, but is dectect on the home user. It effects both VB and Unity game programing languages.  It sems that it is a heuristic issue with defender but it looks like they are having an issue dealing with it.

Maybe if some of you all submitt the false postive as users?

https://www.microsoft.com/en-us/wdsi/filesubmission





Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: StephanP on March 28, 2018, 08:54:59 AM
Maybe if some of you all submitt the false postive as users?
https://www.microsoft.com/en-us/wdsi/filesubmission

Going out now
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: StephanP on March 28, 2018, 09:00:00 AM
O oh, it says:
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 28, 2018, 12:37:53 PM
Right.. Now you see the dilemma.

I suppose Guinness or a class a rant is in order. 


I filed a dispute with them just now. It felt funny filing a dispute on a clean file but... we live in funny times. ;)
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 28, 2018, 02:17:20 PM
Well, if I were a software developer like Tweaking.com, and I had a program that I knew was clean, and Microsoft Security Essentials kept

flagging it for a virus, I would be all over Microsoft like flies on poop !

Is there another way us users could contact Microsoft on this issue other than the "submissions" page ??

Or could Tweaking.com just create another updated version of Windows Repair to fix this ?

Like I have mentioned before, v4.0.14 is NOT affected by all this crap.

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 28, 2018, 05:15:12 PM
Well, the problem is THEY are Microsoft and we are a couple of guys. So in you analogy - we are the poop. :)

The antivirus world is like this though. You guys are just seeing this one right now. But it is very common for all the smaller authors. Don;t get me started on the whole PUP bullsh*t going on out there now.

I did hear back from tech support who confirmed there is no detection.

They recommended this:

Quote
Please try the following steps to clear cached detections and obtain the latest malware definitions.


1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 

2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”


can someone try it and let me kknow.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on March 28, 2018, 10:31:44 PM
Well, the problem is THEY are Microsoft and we are a couple of guys. So in you analogy - we are the poop. :)

The antivirus world is like this though. You guys are just seeing this one right now. But it is very common for all the smaller authors. Don;t get me started on the whole PUP bullsh*t going on out there now.

I did hear back from tech support who confirmed there is no detection.

They recommended this:

Quote
Please try the following steps to clear cached detections and obtain the latest malware definitions.


1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender 

2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”


can someone try it and let me kknow.


Anything similar for MSE?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 02:23:05 AM
Given this really weird time in cyberspace, I have gotten way more careful.  For example, the strong evidence now that the virus checker Kaspersky has been spying in our country's computers, got a 60 minutes sessions about the associated risks, and the US govt has banned it and required that every government agency that installed it must prove they removed it from their computers.   Or how about Facebook - not only is it clearly established that most of the communications on Facebook were fake bot software, but one of the board members at Facebook openly worked with Cambridge Analytica to find ways to help Trump get elected.

I like Tweaking, my sense is that it is a good and straight-forward product (and sadly can't use even though I paid for the subscription) but I just need to bend over backwards.  I've been hacked too many times in too many ways over the years.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 29, 2018, 02:27:53 AM
Given this really weird time in cyberspace, I have gotten way more careful.  For example, the strong evidence now that the virus checker Kaspersky has been spying in our country's computers, got a 60 minutes sessions about the associated risks, and the US govt has banned it and required that every government agency that installed it must prove they removed it from their computers.   Or how about Facebook - not only is it clearly established that most of the communications on Facebook were fake bot software, but one of the board members at Facebook openly worked with Cambridge Analytica to find ways to help Trump get elected.

I like Tweaking, my sense is that it is a good and straight-forward product (and sadly can't use even though I paid for the subscription) but I just need to bend over backwards.  I've been hacked too many times in too many ways over the years.

You may need to reinstall and use it in Safe Mode with Networking or use a different antivirus program until MS get this sorted out.

If you have computer problems that you need to run the program, then open a thread in the Computer Help section.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 02:40:44 AM
Thanks, Boggin, but I was just giving a straight answer to someone who expressed concern about what many are experiencing.  As I wrote, there is a lot of wiggy stuff going on and I think it's good to be careful.  Far as I'm concerned, turning off my virus protection is not an option.

I have no problem with my computer.  It's a brand new Dell, raided, 64 GB RAM, I take good care of it.

This problem is between Microsoft and its response to Tweaking software
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 29, 2018, 02:49:34 AM
You can white list the program in your antivirus program - I had to do that for a short while when Norton Security kicked out the .exe.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 03:05:24 AM
Boggin, I think you must have read my message quickly and not processed what I said.  :)
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 29, 2018, 03:11:19 AM
I was just giving a solution to be able to run the program without turning your AV program off - which point did I miss ?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 03:52:29 AM
I'm not sure what message you mean.  I pasted it below.  I thought it was pretty clear.

Given this really weird time in cyberspace, I have gotten way more careful.  For example, the strong evidence now that the virus checker Kaspersky has been spying in our country's computers, got a 60 minutes sessions about the associated risks, and the US govt has banned it and required that every government agency that installed it must prove they removed it from their computers.   Or how about Facebook - not only is it clearly established that most of the communications on Facebook were fake bot software, but one of the board members at Facebook openly worked with Cambridge Analytica to find ways to help Trump get elected.

I like Tweaking, my sense is that it is a good and straight-forward product (and sadly can't use even though I paid for the subscription) but I just need to bend over backwards.  I've been hacked too many times in too many ways over the years.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 29, 2018, 04:10:27 AM
I didn't see the relevance of your main paragraph in relation to the thread - I was responding to the last one regarding the repair program.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 05:37:43 AM
OK, I'll try to make it really simple.

Cyberspace is hacking us everywhere you turn.  Facebook isn't safe.  Mcafee isn't safe.  Cyberspace is attacking us in all different directions.  I've been personally hacked in a number of ways over the years.

I liked your program (until I was blocked from using it) but why in the *.*  am I supposed to open up the floodgates to rate Tweaking as a trusted product to do what it wants?

Honestly, I don't know why you don't understand me because it's completely obvious to me that it's not our job to develop work-arounds so your product works in any way that we may or may not understand?

Jeez.  I really hope you'll stop telling me you still don't understand what I'm saying because it is so obvious.  Rani
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 29, 2018, 06:28:14 AM
If you read the thread, it's the Admins who have been doing the work to get this fixed and the repair program has been proven to be safe.

Tell me - what has this got to do with what is has been reported from those who use the repair program -

Given this really weird time in cyberspace, I have gotten way more careful.  For example, the strong evidence now that the virus checker Kaspersky has been spying in our country's computers, got a 60 minutes sessions about the associated risks, and the US govt has banned it and required that every government agency that installed it must prove they removed it from their computers.   Or how about Facebook - not only is it clearly established that most of the communications on Facebook were fake bot software, but one of the board members at Facebook openly worked with Cambridge Analytica to find ways to help Trump get elected.

No one has mentioned the suspicion about Kaspersky and has no bearing on MS antivirus programs blocking the program - Facebook doesn't come into and neither does data collection or Trump getting elected.

Now do you see why I was questioning this ?

When Norton Security kicked out the .exe on mine, I knew it was a false positive and had no qualms about white listing the website to reinstall the program.

Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 29, 2018, 06:33:14 AM
If you read the thread, it's the Admins who have been doing the work to get this fixed and the repair program has been proven to be safe.

Tell me - what has this got to do with what is has been reported from those who use the repair program -

Given this really weird time in cyberspace, I have gotten way more careful.  For example, the strong evidence now that the virus checker Kaspersky has been spying in our country's computers, got a 60 minutes sessions about the associated risks, and the US govt has banned it and required that every government agency that installed it must prove they removed it from their computers.   Or how about Facebook - not only is it clearly established that most of the communications on Facebook were fake bot software, but one of the board members at Facebook openly worked with Cambridge Analytica to find ways to help Trump get elected.

No one has mentioned the suspicion about Kaspersky and has no bearing on MS antivirus programs blocking the program - Facebook doesn't come into and neither does data collection or Trump getting elected.

Now do you see why I was questioning this ?

When Norton Security kicked out the .exe on mine, I knew it was a false positive and had no qualms about white listing the website to reinstall the program.

You are correct. the internet is not safe. Not at all. Nothing is sacred and your need to be aware of everything. You need to choose what you install very carefully.

You are also correct that this issue is not your problem and something we need to solve with Microsoft.

Our problem is that it is 100% a problem with Microsoft and we are trying to relay the information.

You can choose to whitelist it or not - but it should be cleared in all their definitions soon. I know they are working on it.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 29, 2018, 06:36:35 AM
Looks like 1.263.1691.0 definitions there after have been corrected.

Everyone getting a clear now?
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on March 29, 2018, 07:15:28 AM
JPM

I've lost the will to live after clearing the MSE alerts, uninstalling and reinstalling WRAIO again today and it again triggering an alert in MSE. I'm not sure which definition version I had but I carried out a manual update before and I think it was to 1.263.1691.0 - that's certainly what's showing now. I've told MSE to ignore the false positive yet again and I'll put this aggravation behind me until the next version of WRAIO is released and see what happens then.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 29, 2018, 12:44:25 PM
LOL --- Told ya it was better to pour a Guinness than to deal with this. :)

Yeah - we have a new version due to. Should be a fun week.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 29, 2018, 01:05:04 PM
I just updated to the latest Microsoft Security Essentials virus update v1.263.1709.0  .... AND

HURRAY  ... YIPPEE  ..... ALL IS WELL and CLEAR  ...

v4.0.15 installed and working FINE  !!!

THANK YOU to EVERYONE for their help and support on this issue, which was DEFINATELY a MICROSOFT F*UCK UP  !!

See y'all later

fab
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 29, 2018, 06:24:52 PM
Jeez, this thread seems to be getting personal and surprisingly argumentative.

All I did was tell you my position.    I value my privacy a lot.

Not, the latest update of the MS virus checker did not fix the install.   

I actually don't care.  I just passed on my own thought process about why I was unwilling to whitelist the program.  And I am taken aback that you think there is something that is wrong with that.

But again, I don't care.  It's not worth my time to deal with it.  I still can't use Tweaking even though it's the only program in my computer that stopped working. And yes, I still believe that it is not my responsibility to deal with the clash between MS and Tweaking.  Tweaking represented itself as working closely with Microsoft, but obviously it isn't.  Again, after updating MS and Tweaking, it still doesn't work.  And honestly I don't care because this was never personal for me, just something to chat about.   Bye. Rani
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: fabrikator on March 29, 2018, 10:24:47 PM
ergo,

Microsoft fixed the false positive issue with virus update v1.263.1709.0, and there is nothing wrong with Windows Repair v4.0.15 now.

If you are still having problems installing, then you have other problems, not MSSE or Windows Repair, perhaps with something YOU are

doing wrong.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 30, 2018, 02:54:47 AM
@ ergo - I've removed your duplicate post and sorry to hear you are still having problems which are beyond Tweaking's control as you will have noted by fabrikator's post.

If you need to run the program then you can reinstall and run it in Safe Mode with Networking.

Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: ergo on March 30, 2018, 05:07:03 AM

Thanks, Boggin,

It's not worth the risk doing a workaround, given MS lists it as having a severe threat level that opens computers up to hackers.

I have no idea if this is relevant but around that time my computer became a lot slower.

I'm about to unsubscribe to this, since I can't use it.   Thanks again
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on March 30, 2018, 05:14:57 AM
It could be worth doing a scan with the free version of MBAM but MS has released some updates to counter Meltdown and Spectre which can impact performance on some machines.

It could also be the antivirus still checking what's left of the program.

https://www.malwarebytes.com/mwb-download/

I have its service set to Manual from Auto so it doesn't auto run in the background.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on March 30, 2018, 04:26:54 PM
Jeez, this thread seems to be getting personal and surprisingly argumentative.

All I did was tell you my position.    I value my privacy a lot.

Not, the latest update of the MS virus checker did not fix the install.   

I actually don't care.  I just passed on my own thought process about why I was unwilling to whitelist the program.  And I am taken aback that you think there is something that is wrong with that.

But again, I don't care.  It's not worth my time to deal with it.  I still can't use Tweaking even though it's the only program in my computer that stopped working. And yes, I still believe that it is not my responsibility to deal with the clash between MS and Tweaking.  Tweaking represented itself as working closely with Microsoft, but obviously it isn't.  Again, after updating MS and Tweaking, it still doesn't work.  And honestly I don't care because this was never personal for me, just something to chat about.   Bye. Rani

It may have been read personally but I didn't intend it so. I agree with you. As an end user it is not your worry to get involved - it's our problem.

My issue with the whole "false positive" industry. This crap happens all the time and although Tweaking is always clean when someone sees a detection from a Microsoft is always will hurt our rep, weather we are right or wrong.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on April 03, 2018, 01:33:44 PM
Just installed v. 4.0.16 of WRAIO without triggering any false positive from MSE :cheesy:
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: markus5664 on April 03, 2018, 07:45:12 PM
Amen, 4.16 works perfect, no false positives.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on April 04, 2018, 12:19:42 AM
It's not the only thing 4.0.16 has resolved - we have a member who was unable to run .15 in any mode but it was found that .14 would as does .16.

Neither WD or MSE figured in this case - another Windows enigma.
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Still_Game on April 04, 2018, 12:31:38 AM
Yes, the inner workings of Windows are getting more and more impenetrable. I'm thinking that perhaps I'll stop wasting money on Microsoft "how-to" guides and start drawing pentagrams on the floor and exploring the divination of birds' entrails............
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on April 04, 2018, 12:41:39 AM
I think Shane may have already tried that :D
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: jpm on April 04, 2018, 07:26:28 AM
 :evil: LOL  :evil:


I'm on it
Title: Re: Trojan:Win32/Critet.BS - False positive from Defender?
Post by: Boggin on April 04, 2018, 01:05:15 PM
:evil: LOL  :evil:


I'm on it

 :cheesy: :cheesy: :cheesy: