Windows defender identifying AnyRail as a possible threat. Windows 10
Unable to re-install, the installation program might be out of date? 10/3/19, EST.
The program has been disabled by Windows security protection.
I tried re-installing, but the downloaded install file is prohibited.
Yes, just found out that my computer reports a problem regarding anyRail. It's a severe warning. Files were placed in quarantine. The latest version seems to contain some mining code. Windows blocked access to the application.
Thread detected: PUA:Win32/CoinMiner
Files involved: C:\Program Files (x86)\AnyRail6\AnyRail6.exe. And 2 more shortcuts to AnyRail.
I saved a screen print of this warning, but cannot attach it to this post.
Kind regards,
Daan
My Windows 10 didn't report any issues. I ran the latest AnyRail6.exe through VirusTotal and here are the results: https://www.virustotal.com/gui/file/23e2a0536236100ec6c3b3abe56225c074bc1f1d52c3a54695503735b2245b57/detection
It appears Microsoft is among the 3 out of 68 engines that detected something, the rest check out ok.
Has to be a false positive?
You can be sure the software is safe. It is a false positive.
I'll try to find out how we can solve this.
Please do, Windows Defender places files in quarantine, so AnyRail cannot be used anymore. It needs reinstallation, however this morning also the downloaded MSI file (6.5.25) was found to be infected.
I tried to install an older version (stored on my NAS), but even these MS files are now being reported to have been infected as well. And so the are places in quarantine as well. It must be some fals-positive warning, the virus scanner on my NAS doesn't report any problems at all.
Kind regards,
Daan
It's strange, Microsoft reports that they cannot reproduce detecting a virus.
I can't reproduce it here either.
Microsoft reports:
---------------------------
Analyst comments:
The file is not malware and we cannot reproduce any detection on the file. If detection is still observed, please follow the steps below to capture support log files from the system reporting detection.
On Windows 10, from elevated command prompt, change to directory "%programfiles%\windows defender" and execute mpcmdrun.exe with option GetFiles:
cd "%programfiles%\windows defender"
mpcmdrun.exe -GetFiles
On Windows 7, from elevated command prompt, change to directory "%programfiles%\microsoft security client" and execute mpcmdrun.exe with option GetFiles:
cd "%programfiles%\microsoft security client"
---------------------------
Would any of you please be so kind to send us the log mentioned?
Somehow on my PC the problem seems to be solved now. Windows Security no longer reports any thread when downloading, installing and running AnyRail 6.25.5.
Don't know what has changed, but at the moment all seems to be ok...
Daan
My Windows Defender found issues in multiple places over multiple days. I've put the screenshots of all the messages in the following Imgur post: https://imgur.com/a/iHbmdOs
I'm seeing reports in online FB forums of other people encountering this.
Tony Pellegrino on the "Micro/Small Model RR Layouts" group reports:
"Beware: my trial version of AnyRail decided to download and run BitcoinMiner as an update. I can't uninstall it because downloading AnyRail now sets off my virus detection. Yay."
Hi all! We've contacted Microsoft and they cannot reproduce it. No threats found.
We cannot trigger Windows defender here either. So unfortunately, we have no way of further analyzing this.
If anyone has the issue, could you please follow the instruction I copied above, and send me the resulting .cab file? I can then forward it to Microsoft for further analysis.
This a false positive. We know for a fact that it is safe, and other virus scanners don't find errors either.
I apologize for the inconvenience, and hope it will be resolved by Microsoft soon.
Just updated to 6.25.5 on my Win 7 machine, no issue for me.
Perhaps this pic attached is helpful:PUA-Win32-CoinMiner.png
Perhaps this one is more readable:PUA-Win32-CoinMiner2.png
I had something similar happen to me, but not with AnyRail. You computer was infected with ransomware (Gold Miner) at some point but not activated. Mine activated when I clicked on a video in Facebook but that might not have Facebook's fault. Where it came from I do not know, but watch going to unknown websites and emails you get from strangers.
The virus is holding you ransom for money. It is extremely hard to remove it.
Does the "Bitcoin" message come up with any other programs?
I would take your computer to someone who understands about theses ransom ware attacks.
Dennis, AnyRail is the only program generating this problem. Thanks for the suggestion. But now how to remove?
Most likely the warning will go away with the next update of your Windows Defender virus definitions.
It seems that the problem lies in the updater, a small program that runs to see if there are AnyRail updates available. This program is provided by Advanced Installer. We've contacted them and they will investigate this further.
Still, don't worry, it is a false positive, meaning there is no virus/coin miner or anything dangerous.
David,
Windows Defender just updated its virus definitions at 10:50AM(EST) Wed Oct 9. Tried to download and install - nope same issue. -Ken
All, I just heard back from my tech guy, and AnyRail is quarantined on his system just as it is on mine. But he also tried an older version, which installed and ran OK (though he did not specify which older version).
David, are the most recent versions prior to the most current still available to download? I miss running AnyRail, and would like to try previous versions. More recent layouts would not be readable by older versions no doubt. But still, I could get at some of my older layouts that I have not worked on recently. Thanks, Ken.
I may search my HD to see if I have an older install file, and try it. No luck.
But, I downloaded and installed 5.25 from the web site - no probs, opened an old layout file just fine.
We've contacted Microsoft, and they have removed the incorrect detection of ARUpdater.exe which is part of the product.
Unfortunately, the .msi (installation package) as a whole still seems to get detected for some users. We've just contacted Microsoft again to take a look at that issue as well.
I'm very sorry for the trouble, but this is really something we cannot control.
Thanks David. Understand this is not your issue. I tried a download again this morning - no joy. But could you help by making a previous version available to download, perhaps here on the forum. 5.25 works OK, but something more recent, perhaps just the version prior to the current version. Worth a try! -Ken
Ken, are you an enterprise Windows user? It seems that for some reason AnyRail is currently detected/flagged as a PUA (Potentially Unwanted Application). However, this type of detection seems to be only available for enterprise Windows users.
This might also explain why some users are still having problems while others don't.
Of course we've explained the problem to Microsoft and they're currently looking into it.
Yes, an enterprise Windows user. Which means we do not have much control to override settings, or allow exceptions to the app quarantine.
5.25 works OK, but more recent would be helpful, perhaps the version immediately prior to the current version. Worth a try! -Ken
I've tested a whole lot of prior version, but they're all detected.
Let's see if Microsoft reacts swiftly to resolve this.
In the meantime, perhaps you have a spare laptop or something to install AnyRail on?
Microsoft has updated Windows Defender, and the problem should be solved now.
Thanks David, working now! Thank you for staying on the issue until resolved! -Ken