News:

Due to heavy spamming attempts on this forum, automatic registration has been disabled. We will approve registration requests as quickly as possible (unless you're a spammer of course :) )

Main Menu

Windows defender identifying AnyRail as a possible threat.

Started by kenhoganson, October 03, 2019, 09:15:39 PM

Previous topic - Next topic

kenhoganson

Windows defender identifying AnyRail as a possible threat.  Windows 10
Unable to re-install, the installation program might be out of date?  10/3/19, EST.
The program has been disabled by Windows security protection.
I tried re-installing, but the downloaded install file is prohibited.

Modelspoorkelder

Yes, just found out that my computer reports a problem regarding anyRail. It's a severe warning. Files were placed in quarantine. The latest version seems to contain some mining code. Windows blocked access to the application.
Thread detected: PUA:Win32/CoinMiner
Files involved: C:\Program Files (x86)\AnyRail6\AnyRail6.exe. And 2 more shortcuts to AnyRail.
I saved a screen print of this warning, but cannot attach it to this post.

Kind regards,
Daan

TrainzLuvr

My Windows 10 didn't report any issues. I ran the latest AnyRail6.exe through VirusTotal and here are the results: https://www.virustotal.com/gui/file/23e2a0536236100ec6c3b3abe56225c074bc1f1d52c3a54695503735b2245b57/detection

It appears Microsoft is among the 3 out of 68 engines that detected something, the rest check out ok.

Has to be a false positive?
Website: Trains Luvr
YouTube channel: Trainz Luvr

David

You can be sure the software is safe. It is a false positive.

I'll try to find out how we can solve this.
David Hoogvorst. Founder and Owner of DRail Software. Creator of AnyRail.

Modelspoorkelder

Please do, Windows Defender places files in quarantine, so AnyRail cannot be used anymore. It needs reinstallation, however this morning also the downloaded MSI file (6.5.25) was found to be infected.
I tried to install an older version (stored on my NAS), but even these MS files are now being reported to have been infected as well. And so the are places in quarantine as well. It must be some fals-positive warning, the virus scanner on my NAS doesn't report any problems at all.

Kind regards,
Daan

David

It's strange, Microsoft reports that they cannot reproduce detecting a virus.
I can't reproduce it here either.

Microsoft reports:
---------------------------
Analyst comments:

The file is not malware and we cannot reproduce any detection on the file.  If detection is still observed, please follow the steps below to capture support log files from the system reporting detection.

On Windows 10, from elevated command prompt, change to directory "%programfiles%\windows defender" and execute mpcmdrun.exe with option GetFiles:
    cd "%programfiles%\windows defender"
    mpcmdrun.exe -GetFiles

On Windows 7, from elevated command prompt, change to directory "%programfiles%\microsoft security client" and execute mpcmdrun.exe with option GetFiles:
    cd  "%programfiles%\microsoft security client"

---------------------------

Would any of you please be so kind to send us the log mentioned?
David Hoogvorst. Founder and Owner of DRail Software. Creator of AnyRail.

Modelspoorkelder

Somehow on my PC the problem seems to be solved now. Windows Security no longer reports any thread when downloading, installing and running AnyRail 6.25.5.
Don't know what has changed, but at the moment all seems to be ok...

Daan

dazennites

My Windows Defender found issues in multiple places over multiple days. I've put the screenshots of all the messages in the following Imgur post: https://imgur.com/a/iHbmdOs


Paul Fawcett

I'm seeing reports in online FB forums of other people encountering this.

Tony Pellegrino on the "Micro/Small Model RR Layouts" group reports:

"Beware: my trial version of AnyRail decided to download and run BitcoinMiner as an update. I can't uninstall it because downloading AnyRail now sets off my virus detection. Yay."

David

Hi all! We've contacted Microsoft and they cannot reproduce it. No threats found.
We cannot trigger Windows defender here either. So unfortunately, we have no way of further analyzing this.

If anyone has the issue, could you please follow the instruction I copied above, and send me the resulting .cab file? I can then forward it to Microsoft for further analysis.

This a false positive. We know for a fact that it is safe, and other virus scanners don't find errors either.

I apologize for the inconvenience, and hope it will be resolved by Microsoft soon.
David Hoogvorst. Founder and Owner of DRail Software. Creator of AnyRail.

Paul Fawcett

Just updated to 6.25.5 on my Win 7 machine, no issue for me.

kenhoganson

Perhaps this pic attached is helpful:PUA-Win32-CoinMiner.png

kenhoganson

Perhaps this one is more readable:PUA-Win32-CoinMiner2.png

RCMan

I had something similar happen to me, but not with AnyRail. You computer was infected with ransomware (Gold Miner) at some point but not activated.  Mine activated when I clicked on a video in Facebook but that might not have Facebook's fault. Where it came from I do not know, but watch going to unknown websites and emails you get from strangers.

The virus is holding you ransom for money. It is extremely hard to remove it. 

Does the "Bitcoin" message come up with any other programs?

I would take your computer to someone who understands about theses ransom ware attacks.
Dennis
Bonham Texas

kenhoganson

Dennis, AnyRail is the only program generating this problem.   Thanks for the suggestion.   But now how to remove?