Potential false positive AV for MS VisualStudio update

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Potential false positive AV for MS VisualStudio update

L6 Presenter

Running into a weird problem with VisualStudio update package being detected as a generic virus after recent update to Threat databases. But I can download the indicated file itself just fine. Anybody know what's going on here? Current AV database 4184-4697:

 

File "Microsoft.VisualStudio.Platform.Terminal.vsix" downloaded from https://download.visualstudio.microsoft.com - 93.184.215.201 detected as Threat ID: 531713060 - Virus/Win32.WGeneric.djpjyt when downloaded using MS update installer. Initial signature in Wildfire database release 8/19 691333, current signature in AV database release 8/22 4184. Threat database shows sha256: hash 965ab738c1ad0b3e17e19ca1bf3a967ba1f9dfc75778391991e4734886116139.

 

VisualStudio update installer v16.11.18 released 8/9 from: https://docs.microsoft.com/en-us/visualstudio/releases/2019/history The update installer spits out following error which coincides with indicated file being block in PA as a threat:

Package 'Microsoft.VisualStudio.Platform.Terminal,version=16.11.51.30345' failed to download from 'https://download.visualstudio.microsoft.com/download/pr/03852310-e601-439d-8ed5-6836f38ccc59/1a86f8b01f3829e5faf06e0070ddcdca8841dc039d345197744f0cbf27eed935/Microsoft.VisualStudio.Platform.Terminal.vsix'.

 

Manually downloading the blocked file URL in a browser reults in valid file - not blocked by PA. Downloaded file appears correct and has sha256 hash of 200637e3e58adc654c788cc9ce5b4e63177571f3. Update installer fails as it can never successfully download this file (and haven't been able to find a way to insert separately downloaded file into update process).

 

Anyone know why the file is being blocked in the update process but not separately? I can think of a couple reasons but they all seem highly unlikely given the download source.

2 REPLIES 2

L5 Sessionator

The corresponding sha256 hash is 1a86f8b01f3829e5faf06e0070ddcdca8841dc039d345197744f0cbf27eed935 (SHA-1: 200637e3e58adc654c788cc9ce5b4e63177571f3). The WildFire verdict of this sample is benign. (ThreatVault doesn't have this information, though). If you upload the sample to the WildFire cloud, you can find the verdict also.

 

This is most likely a False Positive caused by signature collision.
Reference: What is an Antivirus collision in the case of a False Positive, and how can we deal with it?
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWICA0

 

I would suggest to add an exception on the firewall temporarily for the update to succeed.
Reference: How to Use Anti-Spyware, Vulnerability and Antivirus Exceptions to Block or Allow Threats
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcrCAC

 

I guess the manual downloading with a browser succeeded because it uses a partial download using http range header. It may also depend on how the security policy & profile are configured on the firewall.

L6 Presenter

Ooops... you are correct, gave the SHA1 hash instead of the SHA256... trying to do it on a Windows PC instead of a Linux PC I'm more familiar with.

 

Yeah, our Infosec is currently going over it. Biggest problem is that we haven't been able to replicate it/have a download Infosec can confirm is a false positive via other tools. The VisualStudio installer tool is triggering the alert repeatedly when it downloads the file on some machines, but we don't get the alert using the same installer on other machines. We are unsure if the installer pulling different files or giving different arguments to the download server, which results in a slightly different file downloads. Wildfire says the file is benign, but the SHA256 hash is different than the manual download, so the question becomes, is the server providing different versions of the same file?

 

We are doing full decryption with AV/threat/wildfire/URL filtering on all the affected traffic. As you suggest, I think it is most likely a signature collision, but it our high security environment we are hesitant to give a signature bypass without a testable confirmation of benign-ness.

  • 3250 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!