Windows 10 claims trojan Win32/Vigorf.A is present in rubyinstaller-devkit-2.4.4-2-x64.exe

5,600 views
Skip to first unread message

Jason

unread,
Jun 27, 2018, 12:43:14 PM6/27/18
to RubyInstaller
Using Windows 10 Pro, up to date:

Version 10.0.17134 Build 17134


When attempting to download the following file using Chrome, as linked in https://rubyinstaller.org/downloads/ :


...Windows Defender quarantines the file, claiming the trojan Win32/Vigorf.A is present. I assume this is a false positive, but haven't risked installing it anyway.


I have attached a screenshot of the warning.


ruby-trojan-warning.png

entro...@gmail.com

unread,
Jun 29, 2018, 3:36:48 AM6/29/18
to RubyInstaller
I also have this error. Win10 Pro as well.

Justin Baker

unread,
Jun 29, 2018, 2:32:10 PM6/29/18
to rubyin...@googlegroups.com
This happens from time to time.


With the devkit especially it's probably flagging some of the scripts.

With the latest Defender definitions it took about 5 minutes to scan but didn't warn me of any threats.

However, since the installer is so large it can't be submitted to the Windows Defender Team.
The only real alternative I can think of would be to sign the installer packages again, but it's a lot of work.

Luckily MYSYS2 is widely used and someone somewhere will probably tag the offending file as a false positive.

Anyway, sorry for the inconvenience. Hopefully this sheds some light on the problem though.

Justin

entro...@gmail.com

unread,
Jun 29, 2018, 5:06:05 PM6/29/18
to RubyInstaller
Thanks for that, I'll go ahead and whitelist the file now. Microsoft allows submission of files <50mb, I'll do a partial zip of it and upload it. Then explain in the description, asking them to whitelist all the products from rubyinstaller.

Lars Kanis

unread,
Jun 29, 2018, 5:33:46 PM6/29/18
to rubyin...@googlegroups.com, Justin Baker
Thank you Justin, I didn't know that this is a known problem. You even got a Microsoft representative! I updated this issue in github today: https://github.com/oneclick/rubyinstaller2/issues/120

Actually I was able to upload the 120Mbyte file to Microsoft. But in the it seems that the false positive has been fixed anyway in the meantime.

I'll try to re-introduce signatures to the executables, although I'm uncertain if it really helps against classification as malware. Do you have an evidence that this is related?


--
Kind Regards,
Lars

Justin Baker

unread,
Jun 29, 2018, 7:16:42 PM6/29/18
to rubyin...@googlegroups.com
Hey Lars, there was a mention that digital signatures do help. They change the behavior of Defender.


There are is another mention a couple of comments down as well.

Hope that helps.

Justin


Reply all
Reply to author
Forward
0 new messages