ESET LiveGuard detects Get-ChocolateyWebFile.ps1 as malicious

[Georgi Stoychev 0]

Hello,

We are using Chocolatey in our corporate environment, and started to receive thousands of alerts about this file being malicious - "file:///C:/ProgramData/chocolatey/helpers/functions/Get-ChocolateyWebFile.ps1".  For the moment, we have added an exclusion in our ESET Management Console, since we received about 1000+ alarms. Can you tell us how can we investigate further what could be the cause of it? It seems pretty serious.

[itman 1,662]

Here's a 10 year old version: https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1 that LiveGuard immediately triggers on and submits to Eset VirusLab for analysis;

Time;Hash;File;Size;Category;Reason;Sent to;User
4/18/2024 1:12:42 PM;1932BE42169348A8B3727EB15F620E501C03F832;https://github.com/chocolatey-archive/chocolatey/latest-commit/master/src/helpers/functions/Get-ChocolateyWebFile.ps1;948;Script;Automatic;ESET LiveGuard; xxxxxxx

Interestingly, appears this script has never been submitted to VirusTotal.

[itman 1,662]

If the following code exists in the latest ver. of the .ps1 script, "my gut is telling me" this is what is triggering LiveGuard;

[Georgi Stoychev 0]

Here is some additional info on this case:

We've copied the code in a .txt file + running a manual scan - the file is "clean"

When the file is renamed to .ps1 + running a manual scan - the file is "bad"

When half of the code is in the .ps1 file (tried with both halves) + running manual scan - the file is "clean"

I am attaching the problematic file in .txt format.

get-chocolateywebfile 1.txt

[thae 9]

Downloaded the old file from the archived repo with SHA-1 20da70c2bb02e107cd85d8cc6957c2345140f27b and scanned it locally, no detections.

Downloaded the old file from the active repo with SHA-1 500e26623522a4ef037924832366675616e4d39f and scanned it locally, no detections.

The blocked SHA-1 hash from ESET Protect was DC303D4BE2BDBC54578676362C50900724132DFB

So I don't know which script version the endpoints which have chocolately has.

[Georgi Stoychev 0]

The signature of the file, which is being detected in our environment has signature 500E26623522A4EF037924832366675616E4D39F.

[Georgi Stoychev 0]

We observe that this file is being blocked as well - https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1

[TomPark 4]

Hi Guys,

Can you submit the file to samples as per https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab, the team can then have a look at this.

Regards,

[itman 1,662]

30 minutes ago, TomPark said:

the team can then have a look at this

You can get a copy of the script LiveGuard detects here: https://www.powershellgallery.com/packages/chocolatey/0.0.1/Content/public/Get-ChocolateyPackage.ps1 in addition to the Github web site.

[itman 1,662]

Github has opened a thread on this issue here: https://github.com/chocolatey/choco/issues/3423 .

It appears the issue is the .ps1 script involved is unsigned and this is what is triggering the Eset detection;

Quote

@goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this.

[Georgi Stoychev 0]

On 4/19/2024 at 4:58 PM, TomPark said:

Hi Guys,

Can you submit the file to samples as per https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab, the team can then have a look at this.

Regards,

We have already submitted the file on Friday, but we still haven't received a response.