23 coaches online • Server time: 07:30
* * * Did you know? The best passer is Cherrystone Hotpack with 656 completions.
Log in
Recent Forum Topics goto Post Secret League Americ...goto Post Secret League Old Wo...goto Post Mighty Blow/Pile Dri...
Posted by: Christer on Wednesday, May 04, 2022 - 14:04
It's come to my attention that Windows Defender has started to trigger a warning of a malware on the FFB client. The specific malware in question is called "Trojan:Script/Wacatac.B!ml".

Without going into too much detail about what this malware is, and what it does, the warning is very likely a false positive. Basically, the FFB client is a ZIP archive with java code. The malware isn't Java based, and wouldn't execute in the context of a Java application, but would instead (if executed) start a process on your machine called "biddulphia9" (and it would show up in the task manager).

I will see if I can reproduce this warning when I get home, and will do a new build of the FFB client to see if the false positive is supressed.

Steps you can do if you're uncertain:
Check for the process in taskmanager (as explained above)

Download the FFB Client .jar file(s) from:
https://fumbbl.com/FFBClient/live
Rename each .jar file to .zip, and extract the files (all of this is perfectly safe, even if it had contained said malware). You can then look through all the files to see if there are any windows executables, and if you're being particularly nervous use tools to decompile the .class files to java code to see what they do. Obviously, this last step is complicated and takes a fair amount of development skill to do.

Delete detection history as suggested here:
https://answers.microsoft.com/en-us/protect/forum/all/what-to-do-about-trojanwin32wacatacbml-false/d884df80-2dba-46c9-bd8b-4e2f93c9dd3f
Unsure if this works, but could be worth testing.

Google-search for information on this. There could be a bit of a "wave" of false positives with this one going on. If this is the case, there will eventually be a antivirus definition update from Microsoft that will make this go away. Regardless, it never hurts to keep yourself informed about what malware is out there and how they function.

I will update this post once I'm home again and able to take steps to reproduce the problem and see if a rebuild resolves it.

Update 1:
I've reviewed the binary form of the files that trigger this malware warning. It turns out that javaws does a small modification to the archive (it adjusts a small piece of data in the ZIP header). The pre-javaws file does not trigger this issue, but the extra few bytes of header information does. The actual content of the archive (the java bytecode) is unchanged.

This leads me to the conclusion that the Windows Defender definitions have been changed to produce this false positive (which is frustrating to say the least). As a workaround, you can go to Settings->Virus & Threat protection->Protection history. Here you will see one or more "Threat blocked" which will point to the Java "Deployment Cache", and manually allow these to be processed.

Note that you should typically only do this if you are sure that the file in question is safe. Comparing the files from this cache with the files I linked above will allow you to verify my claims that the differences are absolutely minimal and double-check my conclusions. I will still try to build new versions of these files and hope that this removes the warnings.

Update 2:
I've resigned the library files that were causing the issue, and they appear to no longer be flagged as malware. Apologies for the inconvenience.
Badoek on May 05, 2022 - 09:16
Thanks for explaining & fixing!
Kinks on May 06, 2022 - 01:40
Awesome, thanks!
Valen on May 20, 2022 - 16:48
Erm, I have no idea what you just said, but, as always, thanks Christer :)