Windows Defender reports Trojan:Win32/Emali.A!cl during SonarLint installation

Hi,

I tried to install SonarLint 4.3.0 from Eclipse Marketplace on a Windows 10 (version 1803) machine. It fails because Windows Defender detects “Trojan:Win32/Emali.A!cl” in one of the downloaded JARs. The affected file is: C:\Users\myusername\AppData\Local\Temp\signatureFile879118800227653429.jar.

Due to the actions of Windows Defender Eclipse reports the following error message:
An error occurred while collecting items to be installed
session context was:(profile=D__eclipse_package_jee-latest-released_eclipse, phase=org.eclipse.equinox.internal.p2.engine.phases.Collect, operand=, action=).
Problems downloading artifact: osgi.bundle,org.sonarlint.eclipse.core,4.3.0.12432.
Exception in opening zip file: C:\Users\myusername\AppData\Local\Temp\signatureFile8769050405659550675.jar

Since this is a company computer I’m not allowed to change Windows Defender settings, but besides that, it seems very strange to me that a trojan is detected in the official SonarLint installation.

Would you please check this issue asap?

Regards
Alex

Direct installation from update site https://eclipse-uc.sonarlint.org fails with the same problem.

The same with offline installation with ZIP file from https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/org.sonarlint.eclipse.site-4.3.0.12432.zip.

Windows Defender reports a problem with:
file: C:\Users\myusername\Downloads\org.sonarlint.eclipse.site-4.3.0.12432.zip->plugins/org.sonarlint.eclipse.core_4.3.0.12432.jar

Hi @Alex,

I have tested https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/4.3.0/plugins/org.sonarlint.eclipse.core_4.3.0.12432.jar online using https://virusdesk.kaspersky.com/ and it reports no issues. Not sure what is happening to you, but I’m pretty sure we would have many reports if all Windows Defender users were affected.

Are you sure the file is not altered when or after you downloaded it? Maybe you could check the file checksum.

I will try to do a test on Windows on my side.

For the record, the expected checksums for the offline update site are:

org.sonarlint.eclipse.site-4.3.0.12432.zip

  • md5sum: b8374eaea7fa8cabb21e21cde6e8c3ca
  • sha1sum: a28e494f1f20170c8e50e44f807396df710f6df1
  • sha256sum: 640b0639ce6c20de5fe246c8d211bf7dfd811d6a2ccaf8f800ac3cb7668ee8ac

Hi @Julien_HENRY,

thanks for the quick reply. I don’t think the ZIP file gets manipulated on the fly while downloading. SHA-1 checksum of org.sonarlint.eclipse.site-4.3.0.12432.zip is A28E494F1F20170C8E50E44F807396DF710F6DF1. Can you confirm this?

I guess this is some kind of false positive depending on a specific Windows Defender definition update. The latest installed definition update is from today version 1.305.3192.0.

PS: I managed to download the ZIP file to a directory that is in our default exclusion list. This way I’ve been able to calculate the file checksum which obviously matches the one @JBL_SonarSource posted.

Even with the successfully downloaded and extracted ZIP file into the directory excluded from Windows Defender real time scanning, I cannot install SonarLint because Eclipse uses the Windows temp directory %temp% for some intermediate operations during installation, so that Windows Defender again detects “Trojan:Win32/Emali.A!cl” there.

Would you mind downloading https://binaries.sonarsource.com/SonarLint-for-Eclipse/releases/4.3.0/plugins/org.sonarlint.eclipse.core_4.3.0.12432.jar in the directory that is excluded from Windows Defender, then extract the JAR. Then try to copy exploded JAR in a folder checked by Windows Defender, and see which file(s) are deleted by Windows Defender. I would like to see if we could narrow down to a more specific file before trying to report the issue to Microsoft.

Thanks

I already tried that and Windows Defender doesn’t have any problems with the individual files. Only the full JAR is detected as a trojan. This really seems to be a false positive and I’m puzzled that it is not reproducible on your side. Due to this I cannot update SonarLint to version 4.3.0 and have to stay with 4.2.0 until this issue is sorted out.

I repacked the content of org.sonarlint.eclipse.core_4.3.0.12432.jar to a new JAR (ZIP Deflate with normal compression level) and the false positive is gone. Must have been some pattern in the binary representation of the JAR matching a suspicious signature in Windows Defender.

I reported the issue to Microsoft, and here is there answer:

The file is not malware and we cannot reproduce any detection on the file. If detection is still observed, please follow the steps below to capture support log files from the system reporting detection.

On Windows 10, from elevated command prompt, change to directory “%programfiles%\windows defender” and execute mpcmdrun.exe with option GetFiles:
cd "%programfiles%\windows defender"
mpcmdrun.exe -GetFiles

https://www.microsoft.com/en-us/wdsi/submission/7f876a12-e14d-4e15-9f69-70433998ba30

I guess they didn’t even really try to reproduce this false positive. Today, my Windows Defender definitions updated to version 1.305.3257.0 and the issue has vanished – org.sonarlint.eclipse.core_4.3.0.12432.jar is no longer detected as a trojan and installation from Eclipse Marketplace worked.