V2.1.28 is being flagged by Windows Security for containing a Trojan

[xdc7]

I tried to install v2.1.28 today and It got this trojan alert from Windows Security:

Hopefully it's a false positive but just wanted to see if anyone has experienced this before

[salt2guotou]

same. Binary downloaded from https://aws.amazon.com/cli/ is flagged to have trojan.

[kyleknap]

We were able to reproduce the security warning when installing 2.1.28. We rolled back the version located at https://awscli.amazonaws.com/AWSCLIV2.msi to version 2.1.27. So if you are getting this warning, I would recommend first uninstalling the 2.1.28 version and then redownloading and installing the MSI from https://awscli.amazonaws.com/AWSCLIV2.msi. This should install 2.1.27 which should not have the security warning.

We are currently researching what is triggering the security warning. We currently suspect that is has something to do with the fact we upgraded the Python interpreter used in the MSI to Python version 3.8.8.

[salt2guotou]

Kyle, thanks for the quick update and response.

[xdc7]

Thanks for the update, Kyle. I'm using 2.1.27 for now

[bradthurber]

For what it is worth, I submitted the 2.1.28 MSI to Microsoft Security Intelligence for analysis
Submission ID ea665cc0-2c51-4a65-9836-318495c86acc
Their submission tool detected malware upon initial scan; however their final determination was "Not malware".

[bradthurber]

For what it is worth, I submitted the 2.1.28 MSI to Microsoft Security Intelligence for analysis

I have received submission comments from the Microsoft Analyst :

We have removed the detection. Please follow the steps below to clear cached detection and obtain the latest malware definitions.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run “MpCmdRun.exe -removedefinitions -dynamicsignatures”
3. Run "MpCmdRun.exe -SignatureUpdate"

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thank you for contacting Microsoft.

[kyleknap]

Thanks @bradthurber for submitting the report and updating this issue with the reply! We can confirm following the manual steps clears the detection on our side as well. This update should eventually be propagated automatically. In the meantime, we are currently engaging with Microsoft to make sure we can safely reintroduce 2.1.28 as the default version to install.

[kyleknap]

Hi everyone. Just wanted to give an update on this… Version 2.1.28 was incorrectly flagged by Windows Defender and by other antivirus products. We have cleared the detection with many of these Windows antivirus vendors, and they have updated their definitions so you should not be seeing the warnings anymore. We believe the false-positive detections were triggered by a combination of two reasons:

1. We updated both the Python interpreter used in the CLI to 3.8.8 and the version of PyInstaller, which we use to generate the executables needed to run the AWS CLI. These updates changed the generated aws.exe and aws_completer.exe executables that the MSI installs in a way that triggered the false-positive AV detections.

2. We always sign the MSI’s, but historically, we have not signed the executables inside the MSI. Combined with the new changes in the executables, AV software do not necessarily associate the MSI signature with the executables it installs. So there was no previous trust being applied (from the certificate we use to sign the MSIs) when these new, unfamiliar executables that were being encountered on the system.

That being said, we recently published an MSI of version 2.1.29 which runs on Python 3.8.8 and was generated using the updated version of PyInstaller. The MSI and its executables are signed with an EV certificate and is being reported as clear by AVs. This is currently at the default MSI download location: https://awscli.amazonaws.com/AWSCLIV2.msi and you should not run into any issues using it.

Moving forward for future releases, we will be signing both the MSI and its executables and look into better false positive AV detection mechanisms for our release artifacts prior to publishing them.

Let us know if you have any follow up questions/comments. Otherwise, we will close this after some length of inactivity.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.