Trojan in install-tl-windows.exe reported by Windows Defender

Andrea GINI andrea.gini at sns.it
Sat Jun 17 11:17:53 CEST 2023 

I'll try to quote everyone into the same message as best I can.

On Fri, 16 Jun 2023, Zdenek Wagner wrote:
> I would rather suspect that the database of the Windows Defender was
> updated in the meantime. To see whether your copy is infected or not,
> you can downlowd the current version of the file from CTAN and compare
> to yours. If they are the same, it is a false positive.

The fact is that I cannot check the old installer from two months ago. I
installed texlive two months ago with the installer and then I deleted it
after a complete installation. To check what my colleague reported I
redownloaded the installer and it was reported as trojan by defender, on
the same pc with the same antivirus (microsoft defender) that wasn't
triggered before.

On Fri, 16 Jun 2023, Siep Kroonenberg wrote:
> I just tested with a freshly-updated windows 11, and had no trouble
> downloading install-tl-windows.exe with firefox.

> Downloading with edge, I got a warning 'Installing
> install-tl-windows.exe could harm your device. Do you want to keep
> it anyway? But this is 'normal'.

> This does not exclude that some mirror _is_ infected.

The warning with edge is normal. But if I manually allow the download from
Edge, when it's done I cannot find the executable in the download folder as
Defender immediately deletes it.
This is also true (in my case and for my colleague) from Chrome and
Firefox. With these two browsers we skip the procedure of manually allowing
the download, like in Edge. But when the download is complete, Defender
popup the warning and the file is automatically deleted from the download
folder.

What I found strange is that Defender doesn't call this problem a
"potential threat", but a "critical threat" automatically blocked and with
a very precise name: Trojan:Win32/Wacatac:B!ml.

I already suggested to my colleague to download the zip or the iso.

I didn't quite understand the last sentence. I downloaded the installer
directly from https://www.tug.org/texlive/windows.html. For example, with R
from CRAN I can chose a different mirror, but in the case of the texlive
installer I always download it from the main site. And the issue is not
during the installation or the update when you chose a repository, but from
the installer executable itself.

Andrea

Il giorno ven 16 giu 2023 alle ore 22:09 Siep Kroonenberg <siepo at bitmuis.nl>
ha scritto:

> On Fri, Jun 16, 2023 at 09:33:15PM +0200, Siep Kroonenberg wrote:
> > On Fri, Jun 16, 2023 at 10:27:26PM +0900, Norbert Preining wrote:
> > > On Fri, 16 Jun 2023, Zdenek Wagner wrote:
> > > > I would rather suspect that the database of the Windows Defender was
> > > > updated in the meantime. To see whether your copy is infected or not,
> > > > you can downlowd the current version of the file from CTAN and
> compare
> > > > to yours. If they are the same, it is a false positive.
> > >
> > > In addition, the installers are signed with our GPG key, that allows
> you
> > > to verify the integrity.
> >
> > Meanwhile a workaround is to download and unpack the zipfile, and
> > running install-tl-windows.bat.
>
> I just tested with a freshly-updated windows 11, and had no trouble
> downloading install-tl-windows.exe with firefox.
>
> Downloading with edge, I got a warning 'Installing
> install-tl-windows.exe could harm your device. Do you want to keep
> it anyway? But this is 'normal'.
>
> This does not exclude that some mirror _is_ infected.
>
> --
> Siep Kroonenberg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://tug.org/pipermail/tex-live/attachments/20230617/714dbca3/attachment-0001.htm>

More information about the tex-live mailing list.