mirror of
https://github.com/quasar/Quasar.git
synced 2026-04-25 15:25:59 +03:00
[GH-ISSUE #611] Client, on build, being detected by Windows Defender as: Backdoor:Win32/Xiclog.A #366
Labels
No labels
bug
bug
cant-reproduce
discussion
duplicate
easy
enhancement
help wanted
improvement
invalid
need more info
pull-request
question
wont-add
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/Quasar#366
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @seancroberts on GitHub (Jun 20, 2017).
Original GitHub issue: https://github.com/quasar/Quasar/issues/611
I've been trying to remove features to find out where the offending code or API call is located, but no luck so far.
I've stripped out the recovery, key-logging, and webcam\video features and the output file form building Client.exe gets quarantined.
Anyone have any idea what I can do to STOP having Window Defender see this file as a threat?
@EnricoVogt commented on GitHub (Jun 20, 2017):
Whitelist the client on windows defender
@seancroberts commented on GitHub (Jun 20, 2017):
Thanks and yes, I know that adding client.exe to our firewall’s white-list will fix the problem, but I would still like to know which specific code or call is triggering Windows Defender.
Does anyone happen to know?
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: EVmailto:notifications@github.com
Sent: Tuesday, June 20, 2017 3:46 AM
To: quasar/QuasarRATmailto:QuasarRAT@noreply.github.com
Cc: seancrobertsmailto:sean_c_roberts@hotmail.com; Authormailto:author@noreply.github.com
Subject: Re: [quasar/QuasarRAT] Client, on build, being detected by Windows Defender as: Backdoor:Win32/Xiclog.A (#611)
Whitelist the client on windows defender
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/quasar/QuasarRAT/issues/611#issuecomment-309672235, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AP6yZmGb3qvzVv-pciUrpujfw9vscmf_ks5sF3i_gaJpZM4N--Af.
@EnricoVogt commented on GitHub (Jun 20, 2017):
I think (not really sure) that Windows Defender has a Signature based detection. So you can try to Obfuscate the client build .. maybe its working. I dont know
@seancroberts commented on GitHub (Jun 21, 2017):
I seem to have it working now without Windows Defender not seeing the client as a threat.
Most of the code that SEEMED to trigger that was located in and around ClientData – and functions related to the .exe copying itself to ProgramData and then using encryption
@gozilla-paradise commented on GitHub (Jul 5, 2017):
@seancroberts What's about other AV? Are they detect after you have modified that piece of code?
@seancroberts commented on GitHub (Jul 5, 2017):
Once I got rid of the code that attempted to rename or hide the client.exe, Windows Defender (W10, 64-bit and W7, 32-bit) did not identify client.exe as malware nor did it try to quarantine the file.
I intend to use parts of the Quasar RAT code as a part of my legitimate domain support responsibilities, so there is no need to hide or rename client.exe.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: AlienHackmailto:notifications@github.com
Sent: Tuesday, July 4, 2017 8:42 PM
To: quasar/QuasarRATmailto:QuasarRAT@noreply.github.com
Cc: seancrobertsmailto:sean_c_roberts@hotmail.com; Mentionmailto:mention@noreply.github.com
Subject: Re: [quasar/QuasarRAT] Client, on build, being detected by Windows Defender as: Backdoor:Win32/Xiclog.A (#611)
@seancrobertshttps://github.com/seancroberts What's about other AV? Are they detect after you have modified that piece of code?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/quasar/QuasarRAT/issues/611#issuecomment-312971342, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AP6yZuBH5B3LhB3f69NEq3RMeO9hYLqyks5sKtv9gaJpZM4N--Af.
@santoshcxs commented on GitHub (Jul 26, 2017):
@seancroberts Please let us know the code changes you have done, for Windows Defender not seeing the client as a threat.
@Clevelus commented on GitHub (Aug 19, 2017):
It is necessary to refine the ways of hiding the process. It is useless if any modern antivirus immediately detects it.
Also, you need to add a setting that allows you to disable this mechanism, since it is not needed by some users.
@seancroberts commented on GitHub (Aug 28, 2017):
"It is necessary to refine the ways of hiding the process," writes Clevelus...
I am not interested in hiding the process - my intended use for parts of Quasar RAT are for my legitimate work-related admin responsibilities.
I find no value in being able to get passwords from browser settings, turn on web cams without alerting users, logging keys, nor hiding the process I'm trying to run.
I find incredible value in being able to see and manipulate a remote desktop and I find value in being able to access a computer's command console remotely.
The rest of what I need I can already do - run remote programs, silently or interactively, as local system or as the logged on user by installing a remote service, allowing it to interact with the desktop and then doing a little session\handle\API magic.
I have a remote registry editor that has full remote registry visibility through WMI, and it's also through WMI that I can report on just about anything on a computer system... all agent-less\client-less.
At the moment I am trying to see if I can implement remote desktop functionality using the same service I use to execute remote programs, but if I have to, I'll install the service and have it run a client temporarily.
So far, the one function I want but can't implement without a client is the remote command-console.
If anyone wants to work with me on any of this, please let me know because I would love to collaborate.
@sndcode commented on GitHub (Sep 8, 2017):
@seancroberts
what EXACTLY did you do to make the client compiling with windows defender ON ?
Maybe you could also just share your modified software `?
@seancroberts commented on GitHub (Sep 8, 2017):
I rem’d-out or removed all code having to do with the client renaming itself or trying to hide its executable.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: Sandaasumailto:notifications@github.com
Sent: Friday, September 8, 2017 8:30 AM
To: quasar/QuasarRATmailto:QuasarRAT@noreply.github.com
Cc: seancrobertsmailto:sean_c_roberts@hotmail.com; Mentionmailto:mention@noreply.github.com
Subject: Re: [quasar/QuasarRAT] Client, on build, being detected by Windows Defender as: Backdoor:Win32/Xiclog.A (#611)
@seancrobertshttps://github.com/seancroberts
what EXACTLY did you do to make the client compiling with windows defender ON ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/quasar/QuasarRAT/issues/611#issuecomment-328089937, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AP6yZp6D4I07I2MK6x6HplVrn79jlgMjks5sgTLtgaJpZM4N--Af.
@life-coder commented on GitHub (Sep 17, 2017):
"remote command-console" What do you mean by this?
Also note that you can hide it from scans, but using any anti virus that checks behaviour. Like G-Data, bitdefender etc. It WILL be blocked since it probably installs? Into windows dir? And it makes a network connection, that will trigger any av with behaviour checks
@seancroberts commented on GitHub (Sep 18, 2017):
Running cmd.exe on a remote computer, and having the input and output redirected to a local computer.
So, on a remote computer, one could both run commands like “dir” or “gpupdate /force” or “ipconfig” and see the output text on a local computer.
QuasarRAT has this functionality and I want to use\replicate it in my own program.
Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10
From: matteke-gamesmailto:notifications@github.com
Sent: Sunday, September 17, 2017 6:58 PM
To: quasar/QuasarRATmailto:QuasarRAT@noreply.github.com
Cc: seancrobertsmailto:sean_c_roberts@hotmail.com; Mentionmailto:mention@noreply.github.com
Subject: Re: [quasar/QuasarRAT] Client, on build, being detected by Windows Defender as: Backdoor:Win32/Xiclog.A (#611)
"remote command-console" What do you mean by this?
Also note that you can hide it from scans, but using any anti virus that checks behaviour. Like G-Data, bitdefender etc. It WILL be blocked since it probably installs? Into windows dir? And it makes a network connection, that will trigger any av with behaviour checks
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/quasar/QuasarRAT/issues/611#issuecomment-330103100, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AP6yZo5dCfDGAU-w6PCDWBg27iOQqYQ0ks5sjbI9gaJpZM4N--Af.
@mkramer74 commented on GitHub (Sep 24, 2017):
@seancroberts - Is it possible to get your sources ?
Regards,
michael
@Rottweiler commented on GitHub (Oct 3, 2017):
After obfuscating everything but the names in the assembly I think I can safely assume it’s the assembly names
@MaxXor commented on GitHub (Oct 9, 2017):
Whitelist the file.