Virus warning on windows 11 for RomWBW zx.exe
197 views
Skip to first unread message
rwd...@gmail.com
Jul 19, 2022, 4:48:39 AM7/19/22
to retro-comp
I received the following alert, and assume it is a false positive. Can anyone confirm this?
cheers
Richard
Threat quarantined
Severe
V 17/07/2022 10:28
Detected: Trojan:Win32/Ulthar.A!ml
Status: Quarantined
Quarantined files are in a restricted area where they can't harm your device. They
will be removed automatically.
Date: 17/07/2022 10:29
Details: This program is dangerous and executes commands from an attacker.
Affected items:
file: C:\Users\rwdea\Downloads\romwbw-dev-2022-jan-22\RomWBW-dev
\Tools\zx\zx.exe
file: C:\Users\rwdea\Downloads\RomWBW-dev\Tools\zx\zx.exe
Learn more
Actions
Severe
V 17/07/2022 10:28
Detected: Trojan:Win32/Ulthar.A!ml
Status: Quarantined
Quarantined files are in a restricted area where they can't harm your device. They
will be removed automatically.
Date: 17/07/2022 10:29
Details: This program is dangerous and executes commands from an attacker.
Affected items:
file: C:\Users\rwdea\Downloads\romwbw-dev-2022-jan-22\RomWBW-dev
\Tools\zx\zx.exe
file: C:\Users\rwdea\Downloads\RomWBW-dev\Tools\zx\zx.exe
Learn more
Actions
Wayne Warthen
Jul 19, 2022, 4:20:58 PM7/19/22
to retro-comp
I'm quite sure it is a false positive. However, just to be safe, can you clarify exactly where you downloaded the zipfile that resulted in this? Was this the latest production release hosted by GitHub (v3.0.1)? I will download the exact file you used and check it out.
Thanks,
Wayne
Wayne Warthen
Jul 20, 2022, 7:17:41 PM7/20/22
to retro-comp
I ran both the latest official release (3.0.1) and the latest development snapshot through VirusTotal. VirusTotal passes the files through virtually all of the known virus detection engines. A couple of the detection engines complained about cpmtools, rawwritewin, and Win32DiskImager binaries in the distribution. However, in all cases, they were "heuristic" or "AI" detections which means they are just guessing. Additionally, the official distribution has been out there for 2 years now with zero complaints of malware.
Unfortunately, I was not able to recreate the exact detection that you reported. I don't know what to do about that. These virus detection engines are getting extremely aggressive about assuming certain behaviors are malicious. I think they are trying to prove their worth by finding something they can report to a user.
In the end, I am very satisfied that there are no viruses or malware in the RomWBW distribution. Hope this helps.
Thanks,
Wayne
Richard Deane
Jul 21, 2022, 5:11:50 AM7/21/22
to Wayne Warthen, retro-comp
Apologies for being slow responding. Somehow I wrote the email but didn't send it.
It is the dev zip direct from github of 22 Jan 2022.
I actually ran zx.exe so perhaps the act of running it forced an AV response.
However I have multiple versions of romwbw downloaded and cannot reproduce the error.
MIcrosoft is quick to issue virus updates so maybe they temporarily had a broken AV update that picked up zx, and the AV is now updated to be good again.
I am happy it is a false alarm.
Thanks
Richard
--
You received this message because you are subscribed to a topic in the Google Groups "retro-comp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/retro-comp/UquLR7yr-no/unsubscribe.
To unsubscribe from this group and all its topics, send an email to retro-comp+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/retro-comp/26d8a799-0333-44e9-b6f6-1c8946833ce4n%40googlegroups.com.
Wayne Warthen
Jul 21, 2022, 6:52:44 PM7/21/22
to retro-comp
On Thursday, July 21, 2022 at 2:11:50 AM UTC-7 rwd...@gmail.com wrote:
Apologies for being slow responding. Somehow I wrote the email but didn't send it.
I hate it when that happens! 😀
It is the dev zip direct from github of 22 Jan 2022.
OK. A lot has changed in the dev branch since January. I don't think I have a simple way to get a copy of that zip file anymore. One thing that changed is that zx is now back to being called zxcc again (for consistency with other distributions).
I actually ran zx.exe so perhaps the act of running it forced an AV response.
The detection engines run all .exe files found in a sandbox as part of the assessment. So, not sure if that explains it.
However I have multiple versions of romwbw downloaded and cannot reproduce the error.
Yes, that adds to the idea that this was a false positive likely related to the heuristic detection algorithms.
MIcrosoft is quick to issue virus updates so maybe they temporarily had a broken AV update that picked up zx, and the AV is now updated to be good again.
I have definitely seen this type of thing fixed as you suggest.
Thanks for your help with this!
Wayne
Reply all
Reply to author
Forward
0 new messages