Georgi Stoychev 0 Posted April 18 Share Posted April 18 Hello, We are using Chocolatey in our corporate environment, and started to receive thousands of alerts about this file being malicious - "file:///C:/ProgramData/chocolatey/helpers/functions/Get-ChocolateyWebFile.ps1". For the moment, we have added an exclusion in our ESET Management Console, since we received about 1000+ alarms. Can you tell us how can we investigate further what could be the cause of it? It seems pretty serious. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 18 Share Posted April 18 Here's a 10 year old version: https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1 that LiveGuard immediately triggers on and submits to Eset VirusLab for analysis; Time;Hash;File;Size;Category;Reason;Sent to;User 4/18/2024 1:12:42 PM;1932BE42169348A8B3727EB15F620E501C03F832;https://github.com/chocolatey-archive/chocolatey/latest-commit/master/src/helpers/functions/Get-ChocolateyWebFile.ps1;948;Script;Automatic;ESET LiveGuard; xxxxxxx Interestingly, appears this script has never been submitted to VirusTotal. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 18 Share Posted April 18 If the following code exists in the latest ver. of the .ps1 script, "my gut is telling me" this is what is triggering LiveGuard; Link to comment Share on other sites More sharing options...
Georgi Stoychev 0 Posted April 19 Author Share Posted April 19 Here is some additional info on this case: We've copied the code in a .txt file + running a manual scan - the file is "clean" When the file is renamed to .ps1 + running a manual scan - the file is "bad" When half of the code is in the .ps1 file (tried with both halves) + running manual scan - the file is "clean" I am attaching the problematic file in .txt format. get-chocolateywebfile 1.txt Link to comment Share on other sites More sharing options...
thae 12 Posted April 19 Share Posted April 19 Downloaded the old file from the archived repo with SHA-1 20da70c2bb02e107cd85d8cc6957c2345140f27b and scanned it locally, no detections. Downloaded the old file from the active repo with SHA-1 500e26623522a4ef037924832366675616e4d39f and scanned it locally, no detections. The blocked SHA-1 hash from ESET Protect was DC303D4BE2BDBC54578676362C50900724132DFB So I don't know which script version the endpoints which have chocolately has. Link to comment Share on other sites More sharing options...
Georgi Stoychev 0 Posted April 19 Author Share Posted April 19 The signature of the file, which is being detected in our environment has signature 500E26623522A4EF037924832366675616E4D39F. Link to comment Share on other sites More sharing options...
Georgi Stoychev 0 Posted April 19 Author Share Posted April 19 We observe that this file is being blocked as well - https://github.com/chocolatey-archive/chocolatey/blob/master/src/helpers/functions/Get-ChocolateyWebFile.ps1 Link to comment Share on other sites More sharing options...
ESET Staff TomPark 4 Posted April 19 ESET Staff Share Posted April 19 Hi Guys, Can you submit the file to samples as per https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab, the team can then have a look at this. Regards, Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 19 Share Posted April 19 30 minutes ago, TomPark said: the team can then have a look at this You can get a copy of the script LiveGuard detects here: https://www.powershellgallery.com/packages/chocolatey/0.0.1/Content/public/Get-ChocolateyPackage.ps1 in addition to the Github web site. Link to comment Share on other sites More sharing options...
itman 1,746 Posted April 19 Share Posted April 19 Github has opened a thread on this issue here: https://github.com/chocolatey/choco/issues/3423 . It appears the issue is the .ps1 script involved is unsigned and this is what is triggering the Eset detection; Quote @goshostoychev given that this appears to be an isolated incident (i.e. we are not seeing this being reported by lots of people), I don't think there is anything that needs to be done from our side. The root of the problem seems to be the initial deletion of one of the Chocolatey PowerShell files which was then replaced in by an unsigned version, and ESET triggered on this. Link to comment Share on other sites More sharing options...
Georgi Stoychev 0 Posted April 23 Author Share Posted April 23 On 4/19/2024 at 4:58 PM, TomPark said: Hi Guys, Can you submit the file to samples as per https://support.eset.com/en/kb141-submit-a-virus-website-or-potential-false-positive-sample-to-the-eset-lab, the team can then have a look at this. Regards, We have already submitted the file on Friday, but we still haven't received a response. Link to comment Share on other sites More sharing options...
Georgi Stoychev 0 Posted May 7 Author Share Posted May 7 Hello, Is there any progress on this issue, since we haven't officially received a response if the file has been whitelisted, but we tested it on a few laptops and ESET is no longer marking it as malicious. Link to comment Share on other sites More sharing options...
Recommended Posts