ZAP 2.15.0 installer (Windows x64) detected as malicious by Microsoft Defender Antivirus about zaproxy HOT 17 CLOSED

I've sent this to some contacts at MSFT so hopefully it can get routed to the right people.

from zaproxy.

It appears the detection has now been removed for this on latest definition versions. It no longer alerts as a PUA. @ksast does it still happen for you?

from zaproxy.

ZAP is a security tool. It “does bad things”. We know that virus scanners regularly flag the active scan rule add-ons, which is not surprising as they perform attacks.
The Microsoft Defender alert just says that the ZAP exe is potentially “unwanted software” - it is not claiming that the exe is malicious.
Virus scanners are notoriously unreliable, especially when it comes to security tools.
We have double checked the exe and the files it creates and have seen no evidence of anything malicious.
If anyone can provide us with any more specific evidence of malicious code then we will of course investigate further.
Or if anyone has any suitable contacts at Microsoft we’d love to talk to them.

from zaproxy.

For reference: https://www.zaproxy.org/faq/why-does-my-antivirus-tool-flag-zap/

from zaproxy.

We do think this is very likely to be a false positive, but we are doing due diligence

For reference we did submit the Windows installer to Virus Total: https://www.virustotal.com/gui/file/28b348dd65116ddabbbbd98b7f84864a0bb0f98d656266f2f08bfd010ae51c57?nocache=1
As you will see 3 services flagged it, but not Windows Defender.

It is worth noting that virus scanners are very flaky, and ZAP is a security tool which by nature "does bad things".

from zaproxy.

Its worth noting that the alert is 'Packunwan' unwanted software was detected New Detected Informational
So its just potentially additional software, it is not complaining about anything malicious.
ZAP is a complex tool that has many components.
It is not surprising that a virus scanner would detect "potentially unwanted software".

from zaproxy.

Submitted directly to Windows Defender online:

from zaproxy.

I just had a poke around at this, and appears in the build there is a file called "ascanrules-release-66.zap". It looks like this file might be causing the detection as it is flagged by Defender for https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FBitrep.B. This does look to be a FP.

https://www.virustotal.com/gui/file/6c63ac358a5a183a757cb63ac13040e58eb3087aa9ca25bf40a02fab83f3736f

from zaproxy.

"ascanrules-release-66.zap" is the active scan rule add-on: https://www.zaproxy.org/docs/desktop/addons/active-scan-rules/ - these are the rules which attack web apps. So its really not surprising that it gets flagged by AV tools 😁

from zaproxy.

It's worth mentioning that the detection does not apply to version 2.14.0.

from zaproxy.

We did encounter similar things when 2.14 was first released. Though to a lesser extent. In the mean time both AV solutions and ZAP have changed/evolved.

from zaproxy.

Thanks @benmcgarry

from zaproxy.

Appears Smart Screen is now flagging on it:

from zaproxy.

@benmcgarry isnt that just saying that ZAP is from an unknown publisher, rather than its failed an AV check?
This is expected as we are not yet signing the installer..

from zaproxy.

I dont get that prompt on the 2.14 release which i'd assume would also trigger? Did any of the build process change for 2.15?

from zaproxy.

Not radically, but there are bound to have been some changes

from zaproxy.

2.14 might be "popular" enough that SmartScreen ignores it.

from zaproxy.