MS Defender: FFS Donate Portable infected

[ischowam]

Hello

I am using FFS portable on my business PC for years now
Since last week I get the warning from MS Defender, that the exe-files are infected with mailware (EUS:Win32/CustomCertEnterpriseBlock!cl).

First I donated to FFS in order to get the latest portable edition, but also here I receive the warning.

Result is, that the files are deleted.
Copying them again also leads to the warning and deletion.

What is it about?
What is the reason behind?
Is there an edition without that?

Thank you
Joe

[xCSxXenon]

What is it specifically flagging? I ran everything except 'Resources' through VirusTotal and it came back 100% perfect.
Open Defender, go to history, show details, post a screenshot

[xCSxXenon]

Seems like a really generic classification
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=EUS:Win32/CustomCertEnterpriseBlock!cl&ThreatID=-2147236663

Are you on a domain or have something set up that maybe whitelists certs?

[xCSxXenon]

https://www.voidtools.com/forum/viewtopic.php?t=12942

This confirms it isn't a real detection

[ischowam]

Hi
Scanning it with Kaspersky beforhand also shows 100% clean.
Yes, it might not be a "real" detection, but anyhow it is being blocked/deleted, so that I cannot use FFS anymore on that PC.
However due to limited user rights I cannot do anything about it.
The only chance would be, that the "reason" for it is removed from the EXE.

[ischowam]

The question is, what this could be within the EXE:
"This threat can change the way your PC behaves..."

[Zenju]

Just wait a few days. FreeFileSync released today, so it's normal for AV software to freak out.

[ischowam]

To be honest I do not believe that time will solve the issue. 😉

The first warnings appeared with a quite old edition of FFS out of a sudden.
I only switched to the latest one as I was not 100% sure where from that one was and to be safe with an "official" one. In the end even the old one was a donation-edition.

[xCSxXenon]

This is an issue with your company's IT department, not the software. They changed something last week that blocks FFS, along with a lot of other software I would guess. Contact your IT team

[ischowam]

Basically I agree to your point.
Unfortunately that is not an option. ;-)

I thought you could tell me, what in the background could cause the issue (e.g. automatic search for updates etc.).

It was a try from my side.
I guess I need to look for an alternative, which works. :-)

Thanks

[therube]

Which particular files get deleted?

You might try renaming them & see if that might get you somewhere?
If FreeFileSync.exe, you might name it dontdeletemeMS.exe.

If it also deletes FreeFileSync_x64.exe, the above wouldn't help.

But you could try renaming FreeFileSync_x64.exe to dontdeletemeMS64.exe - &, run that file directly (instead of FreeFileSync.exe)***.

***This would be a hack & there could be issues in doing something like that (see recent discussion).
But, it can't hurt to try & see if it gives you something that is workable.

(A/V can be dumb, & sometimes even a name change can help.)

[ischowam]

Hi
Thanks for your suggestions.

Unfortunately that did not outsmart AV. 🙁

All exe-files (also in folder bin) are being flagged when trying to copy them onto the machine or executing them. I then can only choose between deleting them or putting them into quarantine by AV.

The interesting thing is, that on another machine with the same setup I somehow managed after numberless tries that AV is not recognising the exe anymore or they are allowed or whatever. No issues anymore.

But I have no idea what I did to get there.
And copying those files onto the other machine does again end up in warnings by AV. 🤔

[therube]

Whitelisted location? I.e., c:/ffs/ vs. c:/program files/ffs/ (where /program files/ is a "protected" directory?

Different A/V definition updates?

[xCSxXenon]

IT could probably say exactly what is happening in why