MS has flagged Explorer-Patcher as malware

perdrix · Sep 11, 2024

Windows Defender and most other AV tools now report ep-setup.exe as malware (MS seems to have told all the AV vendors to block it).

This is really unacceptable - it's not damaging anything.

Anyone got any means of contacting the MS Defender folks and get them to back off from this position.

David

Ghot · Sep 11, 2024

I was gonna disagree.
But even Bitdefender "disinfects" ep_setup.exe ^^

Either it's really infected, or MS is getting out of hand... again.

antspants · Sep 11, 2024

perdrix said:
Windows Defender and most other AV tools now report ep-setup.exe as malware (MS seems to have told all the AV vendors to block it).

This is really unacceptable - it's not damaging anything.

Anyone got any means of contacting the MS Defender folks and get them to back off from this position.

David

Premature for the Microsoft blaming. This has happened before for other apps including this one I believe. Time should corect it in the next couple of days, hopefully.

Unless of course you can prove this with a statement from Microsoft or reputable source?

antspants · Sep 11, 2024

Ghot said:
I was gonna disagree.
But even Bitdefender "disinfects" ep_setup.exe ^^

Either it's really infected, or MS is getting out of hand... again.

I highly doubt antivirus vendors are going to do this because Microsoft tells them to. Their reputations would suffer.
I find the OP’s accusation or passing on of unsubstantiated news ridiculous. I’ve been wrong before, but seriously.

perdrix · Sep 11, 2024

It is just possible that it IS infected, but the authors of Explorer-Patcher are a) adamant that it is clean, and b) say that MS refuse to treat this as a false positive and say that MS seem to have created a new category for it:

HackTool:Win64/ExplorerPatcher!MTB

oldschool · Sep 11, 2024

antspants said:
Premature for the Microsoft blaming.

antspants said:
I highly doubt antivirus vendors are going to do this because Microsoft tells them to. Their reputations would suffer.
I find the OP’s accusation or passing on of news ridiculous. I’ve been wrong before, but seriously.

Indeed. Is EP digitally signed? And if it's newly signed, it may take days for it to pass Smartscreen and similar AV reputation checks to remove the block.

TairikuOkami · Sep 11, 2024

perdrix said:
Windows Defender and most other AV tools now report ep-setup.exe as malware

I see no problem here, MS properly marked it as hacktool, which it is and other AV detect it as generic malware based on rules.

VirusTotal

www.virustotal.com

Kees · Sep 11, 2024

Tried it in my VirtualBox system, using 23H2 22635.4145, where I only have MS Defender as antivirus.
Gives a false positive on copying ep_setup 22621.3880.66.5.exe, does not on ep_setup 22621.3880.66.3.exe.
A few days ago I tested the version ep_setup 22621.3880.66.5.exe on the same system and it did indeed install.
So MS-Defender has, for whatever reason) decided to mark it as virus suddenly. But I doubt it was to block a UI-tweaking app. Must be some reason other AV's do that as well.

My normal virusdetector (in my reglar system) F-Secure does not mark it as virus. But I certailnly will not be able to install it, other parts of Windows will stop the installation. Not that I want to do that, ExplorerPatcher still is not what I would like to use. But now and then I test UI tweaking apps like StartAllBack, EP, WindHawk etc. just to see what they do and EP in the last version I tested just a few days ago (pure coincidence).

Ghot · Sep 11, 2024

TairikuOkami said:
VirusTotal
VirusTotal www.virustotal.com

Whoa... that's a LOT of RED in those results. ^^
I've never seen that much RED in Virustotal results, even when scanning things that I knew were hacks.

Fabler2 · Sep 11, 2024

No issue this. Once you have verified the file is ok then create an exception. Had to do this even for Hasleo.

antspants · Sep 11, 2024

perdrix said:
but the authors of Explorer-Patcher are a) adamant that it is clean, and b) say that MS refuse to treat this as a false positive

Hey in future could you please source link this stuff you’re getting?

Last time this happened in Feb this year, the developer themself said:

Note: If this update has been flagged as a virus or malware, we recommend disabling real-time protection before installing it, and adding the following folders into exclusions to prevent issues with updates and uninstallation:

%APPDATA%\ExplorerPatcher

C:\Program Files\ExplorerPatcher

We would like to assure you that such detections are false positive due to the nature of this software.

Release 22621.3007.63.3 · valinet/ExplorerPatcher

Tested on OS builds 22000.2538, 22621.1992, 22621.3007, 22621.3085, and 22621.3155. 1 Fixed a bug where explorer.exe would crash repeatedly when the system is in OOBE. (36ebe5a) ExplorerPatcher n...

github.com

hdmi · Sep 12, 2024

windows flags explorerpatcher as malware in latest update (marked as high severity) · valinet ExplorerPatcher · Discussion #3122

in the latest version of windows, explorer patcher is flagged as malware by defender and instantly deleted. i had explorer patcher for a while now and it never started appearing as a virus until no...

github.com

hdmi · Sep 12, 2024

TairikuOkami said:
MS properly marked it as hacktool, which it is

It's not a hacktool.

hdmi · Sep 12, 2024

Essentially, this whole problem is a classical-old PEBKAC (Problem Exists Between Keyboard And Chair). The reason for that is quite simple, it's because all this trouble first began when ExplorerPatcher had an issue that was causing the explorer process to crash and automatically be restarted in an endless loop, and that could have easily been prevented by disabling the autorestart with the following registry tweak:

Code:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoRestartShell /t REG_DWORD /d 0 /f

Kees · Sep 12, 2024

I still am considering it as false positive by pure coincidence.

Some virus has been reported in some other app, many AV makers react on that, may be some of them have a common base where they put the typical signatures to detect the virus into. Others will use different signatures.
That particular signature in this case is detected in the install app of Explorer Patcher as well.
That has happened in my PC with other apps as well, especially when I still used another AV app (as I said now on F-secure, never had problems anymore).
The waiting is for some people reporting the false positive to the AV-maker(s) and after that it will be solved again.

No suspections from my side about MS doing such things deliberately!

hdmi · Sep 13, 2024

Kees said:
I still am considering it as false positive by pure coincidence.

Some virus has been reported in some other app, many AV makers react on that, may be some of them have a common base where they put the typical signatures to detect the virus into. Others will use different signatures.
That particular signature in this case is detected in the install app of Explorer Patcher as well.
That has happened in my PC with other apps as well, especially when I still used another AV app (as I said now on F-secure, never had problems anymore).
The waiting is for some people reporting the false positive to the AV-maker(s) and after that it will be solved again.

No suspections from my side about MS doing such things deliberately!

Pure or impure, I don't believe in coincidences when Microsoft has engaged in so many malicious attacks against 3rd party developers already previously in the past. It also is part why Windows has been dying a slow and painful death over the past decade or so, i.e. ever since the huge success of Windows 7 gradually began to crumble. Modern versions of Windows treat the user like an adversary. You can disagree with me on this all you want, but it still won't matter in the end because the writing has been being on the wall for long enough that you just can't look past it anymore. That is, Microsoft is killing Windows anyway nevertheless, and Microsoft is killing it till it dies.

Autobahn · Sep 15, 2024

Backdoor:Win32/Bladabindi!ml

I tried updating and was blocked by Windows Defender. From what I've read this a false positive.

I'm no computer expert so could someone explain as simply as possible how I stop this from happening in future and how I then update ExplorerPatcher?

Thanks

antspants · Sep 15, 2024

Autobahn said:
Backdoor:Win32/Bladabindi!ml

I tried updating and was blocked by Windows Defender. From what I've read this a false positive.

I'm no computer expert so could someone explain as simply as possible how I stop this from happening in future and how I then update ExplorerPatcher?

Thanks

Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 11

This tutorial will show you how to add or remove exclusions for Microsoft Defender Antivirus for Windows Security in Windows 10 and Windows 11. Windows Security is built-in to Windows 11 and includes an antivirus program called Microsoft Defender Antivirus. Your device will be actively...

www.elevenforum.com

Autobahn · Sep 15, 2024

antspants said:
Add or Remove Exclusions for Microsoft Defender Antivirus in Windows 11

This tutorial will show you how to add or remove exclusions for Microsoft Defender Antivirus for Windows Security in Windows 10 and Windows 11. Windows Security is built-in to Windows 11 and includes an antivirus program called Microsoft Defender Antivirus. Your device will be actively...

www.elevenforum.com

Thanks for the link, but I'm not sure what I should be excluding.

Anixx · Sep 15, 2024

TairikuOkami said:
I see no problem here, MS properly marked it as hacktool, which it is and other AV detect it as generic malware based on rules.

VirusTotal

VirusTotal

www.virustotal.com

View attachment 108232

Is this what reported regarding EP? Absolutely sure its functionality does not require any of this, and nothing of this is in the source code.

MS has flagged Explorer-Patcher as malware

Active member

My Computer

Well-known member

My Computers

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Active member

HackTool:Win64/ExplorerPatcher!MTB​

My Computer

Well-known member

My Computer

Microsoft 365 Basic

My Computer

Well-known member

My Computer

Well-known member

VirusTotal​

My Computers

Well-known member

My Computers

Like a rolling drone.

My Computers

Jack of all trades – master of none

My Computers

Jack of all trades – master of none

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computer

Jack of all trades – master of none

My Computers

Member

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Well-known member

My Computer

HackTool:Win64/ExplorerPatcher!MTB

VirusTotal