[NXDRIVE-2722] Possible regression: Drive 5.2.4 is now detected as Trojan by MSAV and was not in previous versions - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 5.2.4, 5.2.5
Fix Version/s: None
Component/s: Security
Environment:
Windows with MS Defender antivirus turned on

Tags:
- SupCom
- nxdrive
Backlog priority:
1,000
Sprint:
nxdrive #35
Story Points:
5

Description

This ticket is opened as Nuxeo Drive 5.2.4 is now detected as a Trojan by MS Defender AV while it was not the case of previous versions.

There have been reports of 2 different threats by MSAV:

Trojan Wacatac.B!ml
Behavior:WIn32/Persistence.A!ml

Notice that these threats are reported based on behavior, not as static analysis.

How to reproduce:

configure Drive 5.2.4 with an account on a server and leave start on boot checked
have some actions on the server such as synchronizing a folder
reboot the client-side and wait for Drive to start
have some actions on the server such as adding or removing files from the synchronized folder
=> Nuxeo Drive is then silently removed from the client-side by MS Defender Anti Virus and the csymptm for the user is that the piece of software vanished.

You can retrieve the notification in the Microsoft Security Center in the protection history.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Nuxeo Drive et PersistenceA.png
114 kB
2021-07-12 10:11
nuxeo-drive-virus-MS-Defender-WacatacB.png
127 kB
2021-07-12 10:11
Recording-20230613_133319.webm
7.96 MB
2023-06-13 08:07

Activity

People

Assignee:

Sweta Yadav

Reporter:

Patrick Abgrall

Participants:

Patrick Abgrall, Sweta Yadav, Thierry Martins

Votes:

1 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

2021-07-12 10:09

Updated:

2023-06-14 09:25

Resolved:

2023-06-14 09:25