Good day,
Yesterday I installed Arduino IDE on my laptop with Windows 10, that is managed by my work.
All was well, I could use and modify the "blink" program.
Today McAfee Endpoint Security put arduino-builder.exe in quarantine with the following message:
"Adaptive Threat Protection repaired C:\Program Files (x86)\Arduino\arduino-builder.exe, because its reputation (Known Malicious) is below the configured Clean threshold."
Here is some detailed info (also see attachment):
Threat
Action taken Clean
Threat category Malware Detected
Threat event ID 35107
Threat handled Yes
Threat name Real Protect-LS!57c62b02d7a0
Threat severity Critical
Threat timestamp 1/4/2020 21:26
Threat type Trojan
I cannot restore the program because McAfee gives an error when I try this:
Error, These objects could not be restored: TIE/Suspect!57C62B02D7A0
Has anyone seen this ?
As McAfee is managed by our IT department, I may need to contact them to configure McAfee with an exception (if possible).
Any suggestion is welcome.
Thanks for your help.
Ton van der Vliet.
Update: I unzipped the Arduino installation file (arduino.exe) and copied the file arduino-builder.exe to the Arduino programs folder (C:\Program Files (x86)\Arduino).
When compiling the Sketch in the EDI, McAfee gets it again.
Update2: version Arduino 1.8.12
This is almost certainly a "FALSE POSITIVE"
Did you run it through VIRUSTOTAL to be sure ?
I will however raise it upstairs for further clarification.
Bob.
Thanks Bob, I did not know VIRUSTOTAL.
VIRUSTOTAL gives the following: W32.AIDetectVM.malware2
I found the following about this file:
W32.aidetectvm.malware is a Trojan Horse infection that can take advantage of system security flaws. Once inside the computer, W32.aidetectvm.malware can spy on its victims and execute different malicious activities without being detected.
Looks like a serious issue, how should I handle it ?
I guess Arduino should take action, right ?
Are you Arduino Bob ? saying you will "take it upstairs" ..............
Thanks a lot,
Ton.
I am not "official" Arduino but there is a path I can follow.
Normally these things get nailed down pretty quickly.
May I also suggest you use the Store support form too and reference this topic as it may also help speed things up.
It will help to create a documented path.
Bob.
Done reported to Support ............
Hi tvdvliet, can you report MD5 and SHA1 of the file arduino-builder.exe and SHA512 of Arduino installer (arduino.exe)? To do this, just using certutil tool. Here some documentation: certutil | Microsoft Learn
Command example:
certutil -hashfile path-to-your-file MD5
certutil -hashfile path-to-your-file SHA1
Best regards
Thank you Igubello.
I executed the 3 commands as suggested, which were executed correctly:
C:\Users\tyv>certutil -hashfile "C:\Program Files (x86)\Arduino\arduino-builder.exe" MD5
MD5 hash of C:\Program Files (x86)\Arduino\arduino-builder.exe:
57c62b02d7a01acbc336658f52020b0c
CertUtil: -hashfile command completed successfully.
C:\Users\tyv>certutil -hashfile "C:\Program Files (x86)\Arduino\arduino-builder.exe" SHA1
SHA1 hash of C:\Program Files (x86)\Arduino\arduino-builder.exe:
bae2564a5c4ef824837b54b1a708194acbf28266
CertUtil: -hashfile command completed successfully.
C:\Users\tyv>certutil -hashfile "C:\Program Files (x86)\Arduino\arduino.exe" SHA512
SHA512 hash of C:\Program Files (x86)\Arduino\arduino.exe:
d8b3611e2ee71c847e214b7355c9a45026e2e57f224588ffcf8083cff40e922436d04f71401d8ce429c736cb06bd01660f4902a1957eda7c8a3addae5756665c
CertUtil: -hashfile command completed successfully.
I was able to run arduino.exe and verify the code, however I received an error access denied on some files:
Caused by: java.io.IOException: Cannot run program "C:\Program Files (x86)\Arduino\arduino-builder": CreateProcess error=5, Access is denied
Then I ran arduino.exe as Administrator with the following error when verifying the code:
Caused by: java.io.IOException: Cannot run program "C:\Program Files (x86)\Arduino\arduino-builder": CreateProcess error=1450, Insufficient system resources exist to complete the requested service
End then McAfee moved the program in quarantaine again.
Not sure what to do next, I am still waiting on an answer of support after sending some more details.
I could download an older version and install it ...............
I also so an advise to install again from an MSI file, I will try that also later today.
Best regards,
Ton van der Vliet.
Install using Windows store does not help ether, same story as above
tvdvliet:
CertUtil: -hashfile command completed successfully.[/color]
I was able to run arduino.exe and verify the code, however I received an error access denied on some files:
Caused by: java.io.IOException: Cannot run program "C:\Program Files (x86)\Arduino\arduino-builder": CreateProcess error=5, Access is denied
Then I ran arduino.exe as Administrator with the following error when verifying the code:
Caused by: java.io.IOException: Cannot run program "C:\Program Files (x86)\Arduino\arduino-builder": CreateProcess error=1450, Insufficient system resources exist to complete the requested service
End then McAfee moved the program in quarantaine again.
Not sure what to do next, I am still waiting on an answer of support after sending some more details.
I could download an older version and install it ...............
I also so an advise to install again from an MSI file, I will try that also later today.
Wait till igubello gets back to you.
If I understand you correctly, older version worked? If so, use that for the meantime. I'm still on 1.8.5 and have no reason upgrade.
installed 1.8.11: same problem.
Ok, the hash signatures are right, I have tried to reproduce the error on Windows 10 but I have no success, in my computer Arduino is installed rightly and works well. Have you installed Arduino IDE for the first time on this OS or it was an update to the last version? Have you already tried to completely remove Arduino IDE (also the directories created during the installation) and tried to install it again?
I have googled the Windows errors and they are common, but I don't know the causes and I don't understand the McAfee alert.
And if you block for a while McAfee, Arduino IDE works well?
Best regards
Be aware that some AV software does NOT fully turn off when asked to do so.
There is what used to be called TSR ( Terminate but stay resident) on some.
Only way to be sure is to check from TASK MANAGER (or similar) in both services and processes.
But please, be careful! You can activate another AV meanwhile (e.g. Windows Defender) so you are not without defense, if you don't fell safe without McAfee, you DON'T block McAfee.
Hello Ballscrewbob and Igubello,
I have indeed uninstalled IDE, even cleaned the registry and so on and did a re-install of versions 1.8.12 and 1.8.11.
I don't know anymore which version I ran in the past, it must have been a few years ago, but still on Windows; now it was a "clean" install, and funny enough, it worked the day of installation, and probably was tackled by McAfee after the latest Window update a day later.
I run as well Window Defender as McAfee, however several important functions are managed by the company I work, as this is not my personal Laptop.
So I have to be careful what I do and what I CAN do: some functions I cannot do because it it blocked by our IT guys.
I will think it over and will get back to you.
Thanks !
Ton
Windows defender is usually fine with most things Arduino related and does provide some basic coverage.
McAfee on the other hand can be quite intrusive.
This is more so if it is an enterprise type install.
Your It people as you rightly say can best help you in that regards as we try not to get involved in telling people how to bypass Corporate or EDU security.
Thank you! I understand you, if your IT guys can help you and try to do this test it can really useful to me, if you cannot, don't worry, I have really appreciate your patience to answer my questions
Best regards
I did not want to do much tricking with the AV, so I decided to install a rather older version: 1.8.5 after uninstall and cleaning all related to the 1.8.11 and 1.8.12 versions that gave the McAfee problems.
I installed 1.8.5 yesterday and have been working with it a few times today without any problems.
For the time being, I will leave it like this, it is good enough for me.
Thanks all for your help and advise.
NB1: I still may get an advice from support; if so, I will let you know in this topic.
NB2: I will also check with our IT if there is a way to have McAfee ignore the Arduino software, so I can work anyway with the latest (supported) version.
Update1: Support closed the topic because I am being helped through this forum.
Update2: I had some discussion with our IT guys that ended as follows:
If you are satisfied with using the older version I would suggest using that for a little while and closing the ticket or suspending it for now.
Mcafee TIE (Threat Intelligence Exchange) might eventually flag the newer executable as "trusted".
Currently this (I assume the newer) executable is flagged as "known malicious".
Per policy we do not manually change that to trusted.
For the time being I will stick to the currently installed 1.8.5 version.
