My win10 thinks u2 "direct download " (google drive) has a virus
-
my win10 thinks u2 "direct download " (google drive) has a virus
It’s deleting the file after I download it saying it has the “Oneeva.Alml” trojan script
-
Download it to a folder you exclude from windows defender
Proud Falconeer since ‘00. Cygnus X-2: AMD Ryzen 7 3700X @ 4.3 GHz, Gigabyte X570 Aorus Elite, 16 Gigs G.Skill TidentZ Neo RAM, Samsung 1Tb 970 EVO Plus M.2, 1Tb Samsung 870 EVO 2.5", 8GB Asus ROG Strix RTX 3060Ti V2 OC, Asus 27” 2K Monitor, Logitech X56 RGB Rhino w/AB detent mod, TrackIR5, Samsung Tab E for running BMS ICP/DED PRO, Cougar MFDs, Voice Attack using the AVCS4.
YouTube @quasistellar5874
Falcon Lounge https://discordapp.com/invite/KQNHQBz
BMS Ready Room http://discord.gg/gZG3Exa -
One day Win10 will call itself a virus and erase itself. That’s probably the day Win11 is out.
Everything you need to know and links in my Youtube channel, "About" section.
-
I wonder why people still bother with AV at all, it just doesn’t seem worth the trouble and complications. I’m using Linux for most productivity stuff and fire up win10 mostly for BMS (not everything works as smoothly as I would like to on my WINE setup yet) and rfactor2, all the productivity stuff happens on Linux 100% of the time. Heck, if you use some common sense while browsing, handling email and downloading stuff with some decent browser extensions (ublock, flashblock, privacy badger for vivaldi in my case) and use a non-admin account you should be pretty safe even on a win10 system these days. I really don’t see what AV would add apart from lulling you into a false sense of security because “Microsoft handles this for me” (or insert your AV “dealer” of choice here :))
All the best,
Uwe
System specs: win10pro / Linux Mint 20.x, 32GB RAM, nv 1070ti, 2x1 TB SSD, 1x4TB SATA; HOTAS Warthog (DX), TM MFDs, G25Shifter, T500RS wheel / pedals; CPU: AMD Ryzen 7 3700X 8-Core; MoBo: X570-A PRO (MS-7C37); Display: 43" LG nano 779pa (2560x1440), 19" Fujitsu-Siemens (1280x1024) used for DE; StreamDeck XL (ICP)
-
This is just crazy … the zip file Seifer posted a few days ago is still present in my Downloads folder. At the time, I got no warnings upon download with MS Edge … and I unzipped it and scanned the directory explicitly, then … no problems.
Today, opening that same zip file triggers Defender detecting Trojan:Script/Oneeva.A!ml and it got moved away to quarantine.
There is/was only one file inside that zip, the exe for the U2 installer.
I already had that zip file extracted, again, still sitting in my Downloads folder. I just did an explicit scan on it, and Defender found “no problems”.
What the heck is going on…
Is it remotely possible a random series of bytes in the zip file is triggering a false positive match for a virus (apparently a new one updated in the last few days)?
I just re-zipped the EXE (using builtin Windows shell send-to compressed file command) and it doesn’t seem to trigger AV.
-
One day Win10 will call itself a virus and erase itself. That’s probably the day Win11 is out.
Hope this day come soon, bro.
So we can begin to fight 11 at last.
With best regards.
-
For the avoidance of doubt, I uploaded Seifer’s zip file to VirusTotal for a comprehensive scan … no problems found.
Including a green check mark from “Microsoft” so what the heck is going on… I don’t know.
-
A few minutes of googling “Oneeva” turns up a few similar false positives, in zip files, over the past couple years … releases from github, and firefox browser extensions, and other presumably trustworthy sources. Always in the zip itself, not the unzipped payload.
Don’t know what it is about this particular virus/trojan, and zip files, and Windows Defender … and apparently it’s a Linux trojan ffs. So, a very very false positive.
-
For the record, my zip was the same one used for seeding the torrent. One can md5 it to confirm.
-
For the updates, the torrent distribution is just the raw EXE right? (Falcon_BMS_4.35.2_Incremental.exe) No problems there, the Oneeva false positive seems to come from the zip file itself, not the contents.
The irony here is not lost on me … in another similar thread I made a case to stop distributing unsigned EXE files, just ZIP files, to avoid browser-download warnings and flagging.
Sigh, now this… Apparently there’s just no winning.
