32.5.1 quarantined and removed by Win 11 Defender

Users and developers helping users with generic and technical Pale Moon issues on all operating systems.

Moderator: trava90

Forum rules
This board is for technical/general usage questions and troubleshooting for the Pale Moon browser only.
Technical issues and questions not related to the Pale Moon browser should be posted in other boards!
Please keep off-topic and general discussion out of this board, thank you!
User avatar
Paleuser
Newbie
Newbie
Posts: 4
Joined: 2023-07-14, 02:20

32.5.1 quarantined and removed by Win 11 Defender

Unread post by Paleuser » 2023-11-29, 00:28

Win 11 Home:
32.5.1:
64 bit:

Installed add-ons:
Installed plugins: (about:plugins):

If possible, please include the output of help->troubleshooting information (as text):

Win Security reported: Trojan:Script/Wacatac.B!ml

Installation quarantined and removed as soon as browser restarted from new version install: I reverted to an earlier version to restore function.

Very similar to previous issue, but a different "trojan" this time:

viewtopic.php?f=3&t=30039

I did find this advice:

https://answers.microsoft.com/en-us/win ... 5a3402d26a

However, Win 11 isn't cooperative about granting access to the Defender Scans folders. The further advice is to make use of this:

https://www.microsoft.com/en-us/wdsi/filesubmission

However, I imagine that the version update download is a different file from the fresh install, so I have not pursued it. Perhaps it would be useful to clear fresh versions as clean install and as updates this way?

Meantime, notification of when Defender fixes the problem would be useful: downloading the update and having it immediately eliminated is an unnecessary pain. Otherwise my defence is not to download the latest version until there is another new one at least.
Last edited by Moonchild on 2023-11-30, 19:21, edited 1 time in total.
Reason: Clarified topic title.

Daikun
Lunatic
Lunatic
Posts: 440
Joined: 2013-12-13, 20:54
Location: California

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Daikun » 2023-11-29, 01:12

The same thing happened to me. The PM shortcut wouldn't work and I had to reinstall the browser using Edge.
Thankfully, none of my settings were lost and my browsing session was saved, but still, that was annoying.
This was the report I got, BTW.

Image

EDIT: Also, I was on Windows 10, not 11.
Last edited by Daikun on 2023-11-29, 06:09, edited 1 time in total.

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 1396
Joined: 2018-10-28, 19:56
Location: Georgia

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by athenian200 » 2023-11-29, 04:01

This is pretty bad news. Pale Moon is actually digitally signed and has been around for a while, and a problem like this could make automatic updates totally impractical on Windows 11 and later, since nothing can be updated without manual user intervention and messing with Windows Defender to make sure the whole browser isn't deleted.

There's no actual malware in the browser, and no good reason to wait until the next version, but this does mean that the filter is becoming a lot more aggressive due to the use of bad heuristics.

There is nothing more that can be done on our end, AFAIK. We can't control whether defender flags the updates or not... it's totally random. The only advice I have is to try excluding the Pale Moon folder in Program Files from being scanned...

To exclude a folder from Windows Defender scan in Windows 11, you can follow these steps:

1. Open Windows Security by searching for it in the search box.
2. Click on “Virus & threat protection” and then click on “Manage settings”.
3. Scroll down to the “Exclusions” section and click on “Add or remove exclusions”.
4. Click on “Add an exclusion” and select “Folder”.
5. Choose the folder you want to exclude from the scan and click on “OK”.

Mozilla themselves have apparently had to exclude the development folder from Windows Defender in newer versions of Firefox, because they've had files get flagged by Windows Defender as they are being compiled, though they are still able to keep the signed binaries from this fate somehow.

Supposedly, other AV programs are not as bad with the false positives as Defender is, it's gotten very aggressive lately. So you may want to see if you can install another AV program that doesn't rely on heuristic detection for trojans as much.

If you look around the Internet for the name of that trojan, you'll see long threads like this of people getting told they have this virus, whether they are using known-safe programs or even self-compiled applications as developers:

https://www.reddit.com/r/antivirus/comm ... acatacbml/
Off-topic:
One thing I noticed, is that it seems like 7zip format is part of the puzzle... using zip compression instead seems less suspicious to Windows Defender for some reason. By itself it doesn't seem to do much, but 7zip does seem to do something that Defender dislikes, like it adds "points" that make it more likely to be flagged... that's also corroborated on all these random threads around the Internet.
EDIT: Weirdly, VirusTotal is showing nothing that would indicate Pale Moon is being flagged as a false positive by Microsoft or any other security vendor...

https://www.virustotal.com/gui/file/58e ... /detection

https://www.virustotal.com/gui/file/f0f ... ec8321890c
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind

User avatar
H Seldon
Hobby Astronomer
Hobby Astronomer
Posts: 23
Joined: 2021-05-21, 01:30

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by H Seldon » 2023-11-29, 06:21

I just did a manual scan of Pale Moon-Portable 32.5.1 folder with Windows Defender and it came up clean.
I'm on Windows 10, build 19045.3693.
Wenn ist das Nunstück git und Slotermeyer? Ja! Beiherhund das Oder die Flipperwaldt gersput.

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4868
Joined: 2015-12-09, 15:45
Contact:

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by moonbat » 2023-11-29, 06:38

It seems rather hit and miss, so best is to do what athenian200 said and simply exclude the Pale Moon folder from Defender's scans.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
athenian200
Contributing developer
Contributing developer
Posts: 1396
Joined: 2018-10-28, 19:56
Location: Georgia

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by athenian200 » 2023-11-29, 08:30

Well, I sent in a copy of palemoon.exe from the new version, and this was the reply...
Microsoft Support wrote:Analyst comments:

We cannot reproduce any detection on the file. If the detection is still observed, follow the steps below to capture support log files from the system reporting detection.

From an elevated command prompt, change to directory "%programfiles%\windows defender" and execute mpcmdrun.exe with option GetFiles:
cd "%programfiles%\windows defender"
mpcmdrun.exe -GetFiles

All created log files will be compressed into MPSupportFiles.cab. Please send us the detected file and MPSupportFiles.cab using https://aka.ms/wdsi. We will continue the investigation once we receive the support log files.
So, whatever was causing that to be detected can't be reproduced. It's possible that your computer actually did have a trojan on it at some point in time, and that can make Windows Defender a lot more paranoid locally, because the trojans it is detecting are the type that attach themselves to innocent-looking files and change their hash signature. For all I know, maybe that trojan did infect your copy of Pale Moon... but Pale Moon itself wouldn't be the issue in that case, it would be that your system has a trojan that is copying parts of itself into your Pale Moon installation. I sometimes wonder if a portion of our userbase is accidentally getting infected with trojans that attach themselves to their local copies of Pale Moon, because I really don't see these messages myself as much as other people do...not on any of the computers I use, even the ones I don't use for development.
"The Athenians, however, represent the unity of these opposites; in them, mind or spirit has emerged from the Theban subjectivity without losing itself in the Spartan objectivity of ethical life. With the Athenians, the rights of the State and of the individual found as perfect a union as was possible at all at the level of the Greek spirit." -- Hegel's philosophy of Mind

Potkeny
Fanatic
Fanatic
Posts: 128
Joined: 2018-08-03, 17:00

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Potkeny » 2023-11-29, 09:05

athenian200 wrote:
2023-11-29, 08:30
I sometimes wonder if a portion of our userbase is accidentally getting infected with trojans that attach themselves to their local copies of Pale Moon, because I really don't see these messages myself as much as other people do...not on any of the computers I use, even the ones I don't use for development.
Off-topic:
I probably made windefender trigger-happy with doing CTFs, sometimes even my notes are quarantined for containing malware due to copy-pasting parts of the code outside a VM.. Good to know that Defender behaves differently based on local history, explains my warnings somewhat!

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35259
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Moonchild » 2023-11-29, 10:10

I was unable to reproduce either but submitted the latest version of the browser (last night when I saw this thread) with a mention of this report attached to Microsoft anyway (as a developer).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35259
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Moonchild » 2023-11-29, 10:45

Analyst reply:
Analyst comments:


At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
ron_1
Moon Magic practitioner
Moon Magic practitioner
Posts: 2849
Joined: 2012-06-28, 01:20

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by ron_1 » 2023-11-29, 21:00

Off-topic:
Threads like this one makes me glad I moved over to Linux years ago.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35259
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Moonchild » 2023-11-29, 22:55

Off-topic:
ron_1 wrote:
2023-11-29, 21:00
Threads like this one makes me glad I moved over to Linux years ago.
Linux AVs can have false positives just as easily. This has nothing to do with the O.S.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Paleuser
Newbie
Newbie
Posts: 4
Joined: 2023-07-14, 02:20

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by Paleuser » 2023-11-29, 23:43

Moonchild wrote:
2023-11-29, 10:45
Analyst reply:
Analyst comments:


At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

I followed these directions, and I'm pleased to report that afterward I installed 32.5.1 with no issues. It's worth bookmarking this solution for future reference. Thanks for taking the trouble to submit the files to MS to help resolve the issue.

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2338
Joined: 2012-08-19, 20:32

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by back2themoon » 2023-11-30, 00:20

Using both Windows 11 and Defender sounds like a nightmare. Ditch Defender at the very least.

User avatar
greentapeshaman
New to the forum
New to the forum
Posts: 1
Joined: 2023-11-30, 00:20

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by greentapeshaman » 2023-11-30, 00:25

Had win10 defender pop up with the exact same thing last night when the palemoon browser update hit.
Followed the previous post and its working fine now.

Way to spook people into compliance to use the 'correct' internet browsers m$.
Moonchild wrote:
2023-11-29, 10:45
Analyst reply:
Analyst comments:


At this time, the submitted files do not meet our criteria for malware or potentially unwanted applications. The detection has been removed. Please follow the steps below to clear cached detections and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

User avatar
LAR Grizzly
Lunatic
Lunatic
Posts: 340
Joined: 2017-08-11, 16:49
Location: Upstate Ohio, USA
Contact:

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by LAR Grizzly » 2023-11-30, 18:42

Shouldn't the title of this post be: "32.5.1 quarantined and removed by Win 11 Defender"?
Win7 Pro SP1 64 Bit
Comodo Internet Security
Pale Moon 33.0.1, Epyrus Mail 2.1.2, Firefox 115.8.0esr, Thunderbird 115.8.0, and SeaMonkey 2.53.18

User avatar
back2themoon
Moon Magic practitioner
Moon Magic practitioner
Posts: 2338
Joined: 2012-08-19, 20:32

Re: 35.2.1 quarantined and removed by Win 11 Defender

Unread post by back2themoon » 2023-11-30, 19:14

It's ok... it'll definitively quarantine 35.2.1 as well.

njren
Hobby Astronomer
Hobby Astronomer
Posts: 25
Joined: 2017-01-04, 23:53

Re: 32.5.1 quarantined and removed by Win 11 Defender

Unread post by njren » 2023-12-08, 01:27

This happened to me today when I was prompted to update to 32.5.1 running on Windows 10 Pro 64 Build 19045.3448, but identified palemoon.exe infected with: trojan:win64/infostealer!MSR

Just adding in case someone does a search for that trojan.

Downloaded the full installer on a different machine, copied over, installed, and no further protests.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35259
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: 32.5.1 quarantined and removed by Win 11 Defender

Unread post by Moonchild » 2023-12-08, 13:04

njren wrote:
2023-12-08, 01:27
Downloaded the full installer on a different machine, copied over, installed, and no further protests.
This shows you how fickle their heuristics engine is, because they are literally, byte for byte, the exact same binaries. The only difference is that one is delivered via .mar and updater, and the other via installer.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Post Reply