Git-2.24.1.2-64-bit.exe trips Windows Defender SmartScreen #2426
Comments
|
Same issue here! Checked hashes, which are correct, so not sure what causes this. Probably the fact that there are only a few installs yet. |
|
I think this all comes back to a mistake I made almost two weeks ago. I was working on an Azure Pipeline to build and publish MSYS packages, and by mistake one of the builds leaked the private key of my code-signing certificate. This required me to revoke that one, and get a new one. So v2.24.1(2) is code-signed with a certificate that has not seen much exposure (although there was at least one snapshot in the meantime, but, you know, we could really use more people testing those snapshots). So hopefully this will soon be resolved by virtue of tons of users downloading the new version and installing it (https://www.somsubhra.com/github-release-stats/?username=git-for-windows&repository=git claims that it has been downloaded ~150k times, which should in theory be enough to convince SmartScreen). |
|
@dscho, can you use traffic from the check-for-updates feature to figure out how many installs there are (with that turned on, I don't use it) per day? It would be super-interesting to know how much (if at all) this slows adoption until it's trusted. Also, I've been curious about this for a while: I seem to remember you signing (GPG) your commits, but stopping at some point. Why is that? The releases feature that information pretty prominently, seems like it would be comforting to see "verified" there. |
You mean like 44c1590 for example? I think those just occasionally happen when he commits something through the github web interface. |
According to this, "GitHub will automatically sign commits you make using the GitHub web interface." I didn't know that (and I'm not sure it's an awesome idea, at least without opt-in). Edit: I assumed you meant signed from client and unsigned from web, but it looks like you meant the opposite. That would actually make sense. |
|
The analysis result from http://wp.hybrid-analysis.com/sample/34e484936105713e7d0c2f421bf62e4cfe652f6638a9ecb5df2186c1918753e2?lang=en looks a bit disturbing. Older versions of the Git for Windows installer do not look any better so I don't really know what to make of it. Risk AssessmentSpyware |
Can confirm It's particularly unfortunate that this is the first release with the new certificate and this issue, since this release fixes several windows-centric security vulnerabilities...
|
@dakotahawkins no, I have no access to the traffic. It's all under GitHub's control, I have no way of knowing any details other than what is published: the download numbers.
I agree. According to https://www.somsubhra.com/github-release-stats/?username=git-for-windows&repository=git, the 64-bit installer has been downloaded "only" 365k times. Now, https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview talks about a reputation-based system, therefore I would expect this warning to go away Real Soon Now.
Yes, it is very unfortunate, and I lost quite some sleep over my blunder for that very reason.
@cblomqvist that "risk assessment" casts a really wide net. I don't know that I agree that it is helpful to risk so many false positives. It also does not fill me with a lot of confidence that this is a HTTP-only URL, and when you try to use HTTPS on it, it uses a certificate for a different domain (www.reverse.it).
Riiiiight. That is a very worrisome thing that some sort of (insert hand-waving) string was found that may be used as (insert hand-waving again) part of an injection method. Is there injection going on in Git for Windows? Sure there is. If you open a Git Bash, start a process, and then hit Ctrl+C, a remote thread is injected to emulate what would be done in a Win32 Console (similar to Is that spyware? No, it is not.
Yes, it does. If you call any of the scripted parts of Git. That's part of the reason why I work so hard on turning those scripts into built-ins.
Like, when pushing? Or when fetching? Wooooooh! It's malware! No, it's not. It's just doing precisely what it is supposed to do.
Yep. It has to.
Yes, that too. It is done as part of generating a default email address if the user has not provided one via
So pulling changes that remove files is now called "evasive"? Come on. I mean, come on!
Yes, escaped byte strings are part of Git. On purpose. And no, it's not shellcode. There is also shell code, maybe that should now be considered malicious, too?
I don't really know what this is about. Git Bash will generate internal links
That domain is probably used while validating the code-signature, probably in their own attempt to validate it against the Certificate Revocation List (which is the right thing to do, and not something to spread worry about). In short, I find it very questionable to call this sort of thing a risk assessment. And a lot of these things (such as the thing where it calls marking files for deletion as "evasive") do not even need any expertise, a little critical thinking on your part would have been sufficient to flatly reject this part of the assessment. Really, "risk assessment"... You could call it wasting an already-overworked open source maintainer's time, is what you could call it. And you'd be absolutely right to call it that, if you ask me. |
|
@dscho I think that tool probably just really hates installers. Do you want me to close this now? I was going to wait to see a report that the problem went away, but since there's nothing we can do about it there's no other reason to keep it open. |
I'd rather keep it open just in case that some users actually look through the open bug reports before spending the time to report this as a new issue. As to not being able to do anything about it, I might have asked somebody who might know how long it will take, roughly, until this is resolved. |
|
Sounds good, thanks! I wonder if asking a trusted friend to sign your installer is a viable workaround... somebody from a related project like git-lfs might do it for this particular release if it turns out it's going to be longer than expected. |
|
Hi all! I checked today, and the warning from Windows Defender is no longer present. Everything seems OK. |
|
Confirmed on a clean (didn't have GfW installed) computer. I also wonder if it would work/make sense to "bank" this key and use a new one for the next release (or the next non-critical release)? That might be too much effort but this issue for this release got me wondering whether anybody does that just so they can have a key in storage that they can use if this exact thing happens. |
|
I just want to thank you for taking the time to explain everything @dscho and I must say that I love the style of writing you have. I'm sorry to have contributed to wasting your time. Reading your explanation of the "Risk assessment" was certainly not a waste of my time and it was also entertaining. Thanks for your efforts! You are very much appreciated 🥇 |
and others
Win10 1909 (18363.476)
This is the first of your installers that's done this (in fact, I haven't seen this in a long time for anything).
The signing certificate looks OK as far as I can tell. SmartScreen doesn't give me much information, Windows Defender thinks its OK.
Is it possible it just hasn't established "reputation" yet (not enough installs?). I usually grab latest releases almost immediately, so it's weird it hasn't happened yet.
The text was updated successfully, but these errors were encountered: