Detected as HackTool:Win64/ExplorerPatcher!MTB

[Comeonnoob]

For some reason, latest release of EP keeps getting false flagged by Windows defender as HackTool:Win64/ExplorerPatcher!MTB. I have to exclude this app's folder from Program Files manually to uninstall it properly. What is going on?

[Amrsatrio]

TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin:

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now.

[pyrates999]

You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender.
You can also set windows defender to exclude the directory that you manually download EP to so you can install it without windows defender blocking it.

[Amrsatrio]

Also %APPDATA%\ExplorerPatcher

[Vlad55432]

microsoft is so mad ngl

[Apis035]

Thats not a false detection. They literally named it as "HackTool:Win64/ExplorerPatcher!MTB" because they don't like EP.

[kpietraszko]

It would be nice if EP deleted ep_setup.exe as soon as possible after an update, that would probably decrease the detection rate.

[pyrates999]

It's used for uninstalling. It can't be deleted before then.

[Comeonnoob]

You can also set windows defender to exclude C:\Program Files\ExplorerPatcher so future updates won't be blocked by windows defender. You can also set windows defender to exclude the directory that you manually download EP to so you can install it without windows defender blocking it.

Thank you, had to use this

Also it looks like Windows 11 24H2 update might be a disaster because Microsoft is actively blocking StartAllBack as well. Not good, Microsoft needs lawsuit from someone with a decent anmount of money.

[Amrsatrio]

Just want to post an update to this issue, looks like this will continue to haunt us forever even with local builds.

From now on, users must have added the folders below to exclusions to prevent Defender from messing with EP while still keeping Defender active.

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

The reasons we're not setting the latest 66.4 build as release are:

• It has been flagged as malicious by Microsoft.
• Existing users who never visit this project's GitHub page will never know what's going on. They can get scared by the fact that EP seemingly got infected by a virus, while in fact it is not as long as ep_setup.exe is downloaded from the project's page, which is this GitHub repository.

So that's why we kept the latest release at 65.5 which is not flagged yet as of the time of writing. (66.4 is also not flagged)

To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer which will be a simple GUI to select between release and pre-release version as well as optionally including the folders into exclusions which will be checked by default. And when they flag the PowerShell script, we can easily break the hash by modifying the script more like what MAS has been doing monthly.

For updates, users will need to download updates through EP itself not by visiting the GitHub releases page anymore.

What do you guys think?

[Vlad55432]

What do you guys think?

Powershell script is nice touch, I like that.

[pyrates999]

great idea

[Anixx]

It is not a false detection, it correctly detects it as hacking tool ExplorerPatcher.

[realAllonZ]

To make this easy for first time users and non tech savvies, I am planning to make a PowerShell-based online installer

Sounds great @Amrsatrio! More developers should implement this method.

Where can we keep an eye out for your progress on the script?

[rodolfomachado]

Hi, guys.
Ive been using EP for a good time with no issues but today when I started my PC Kaspersky detected as a dangerous object and deleted my Explorer.exe. My PC is starting but with almost no interface. I can use task manager, command. For now, I was not able to restore Explorer.exe.
Does anyone know a way? Tks

Edit:
Solved with "sfc /scannow

[Kickskii]

its marked as Backdoor:Win32/Bladabindi!ml now earlier today it was calling it HackTool:Win32/Patcher!MTB

[Anixx]

Unlike most Trojan, Backdoor:Win32/Bladabindi!ml does not create a registry entry to run itself on Windows start-up. Instead, this threat will inject harmful code into valid processes including explorer.exe, iexplore.exe, firefox.exe, chrome.exe, opera.exe, and safari.exe. Trojan will load if user runs any of these programs.

Then, the Trojan tries to contact a command and control (C&C) server through HTTP request on the same port 80, the same way users can connect to the Internet. During analysis, it was discovered that most of C&C servers that provides remote command for this threat are originating from .TW domains.

Lastly, Backdoor:Win32/Bladabindi!ml attempts to gather cookie data from the infected computer. It is also interested in collecting Internet certificates and stores them under UserProfile folder.

[rodolfomachado]

Here is what Kaspersky shows

[ff-66]

Then disable Smart Screen and real-time protection ?
I did it two days ago on my new PC and this method worked perfectly

[pyrates999]

Same here, even after following the PS script as a first time installer I am not able to install the program.

That's windows smart screen blocking it. If you didn't configure it, and this is a work computer, your sys admins at work configured it that way.

[KunjanChauhan]

Then disable Smart Screen and real-time protection ?

This is generally, not recommended as it opens up your system to all sorts of attacks.

[Thebestbmxer]

No its not. But you can turn it off, install, then turn back on.
Then use the powershell commands above as well as telling your system it is ok.

[KunjanChauhan]

No its not. But you can turn it off, install, then turn back on. Then use the powershell commands above as well as telling your system it is ok.

Yes that would work in many cases!

[mayureshs]

Then disable Smart Screen and real-time protection ? I did it two days ago on my new PC and this method worked perfectly

Do not have permissions to disable the Smart Screen or real-time protection. Any other options?

[pyrates999]

SmartScreen will still prompt you when trying to run an executable that is not signed. So this is perfectly ok.

[ErMaqui]

I have created a suggestion in MSFT Feedback hub. This madness by MSFT will only stop if enough people raise a voice.

If you agree upvote at https://aka.ms/AAs87uy - note this link will open Feedback Hub on Windows. For some reason, it will not work on an Android device. Another MSFT architecture blunder!

Screenshot below:

I think M$ closed your request...

[KunjanChauhan]

I have created a suggestion in MSFT Feedback hub. This madness by MSFT will only stop if enough people raise a voice.
If you agree upvote at https://aka.ms/AAs87uy - note this link will open Feedback Hub on Windows. For some reason, it will not work on an Android device. Another MSFT architecture blunder!
Screenshot below:

I think M$ closed your request...

I just checked and its still open. There are 22 upvotes. If there are more experiences like yours then clearly something may be amiss .....!

In any case, this requested change will not be forthcoming from MSFT through just one post on the feedback hub. I think we need a lot more upvotes and overall noise through various other feedback pipes. It's not impossible to imagine MSFT not changing their point of view!

[osde8info]

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses

tried to upvote via your link but got

had to upvote via this link instead https://aka.ms/AAse02b

[osde8info]

also upvoted native windows 11 cascade issue https://aka.ms/AAo78gw

[KunjanChauhan]

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses

tried to upvote via your link but got

had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

[rodolfomachado]

Here it says that my account don't have rights to vote

…

On Mon, 23 Sept 2024 at 15:44, Kunjan Chauhan ***@***.***> wrote: windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses tried to upvote via your link but got [image: winfeed] <https://private-user-images.githubusercontent.com/51541/369988431-371707bf-9601-4f0f-b934-ed5667c2b8db.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjcxMTcyMjYsIm5iZiI6MTcyNzExNjkyNiwicGF0aCI6Ii81MTU0MS8zNjk5ODg0MzEtMzcxNzA3YmYtOTYwMS00ZjBmLWI5MzQtZWQ1NjY3YzJiOGRiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA5MjMlMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwOTIzVDE4NDIwNlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTYzYjdlOTQxYmQxMTczZGUzMTBjNzJlODZhYmU4ODY1ZTM5NmU3NDk0MWJjZDZjNmQ4MmIwYWY0MTliZDA3OGQmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0In0.Bf4btC_gf_UmUeV6jCl9PnfIkBDgHhYzxv_kgHxjijI> had to upvote via this link instead https://aka.ms/AAse02b It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!! — Reply to this email directly, view it on GitHub <#3228 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AKESNQUWOO5HLNJZMOZ5LA3ZYBORXAVCNFSM6AAAAABHGS72AWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNRZGA4DQMZTHE> . You are receiving this because you commented.Message ID: ***@***.***>

[ErMaqui]

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses
tried to upvote via your link but got

had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

Link opens automatically the feedback hub app... but the result are the same.

[pyrates999]

windows 11 edge download says both exporerpatcher 65.5 and LATEST are viruses
tried to upvote via your link but got

had to upvote via this link instead https://aka.ms/AAse02b

It seems that the only way to access the suggestion is from within Windows/Feedback Hub app. I am unable to access via a browser or non-windows device such as my android phone. What can I say....!!!!!

see this comment: #3228 (comment)

[lucianoGG]

Windows 11 24h2 without issues, Kaspersky didn't detect anything

Version 22621.3880.66.6

[gsapient]

TLDR: Add EP's folders into exclusions if you want to use (and trust) EP. For Defender, run the following in PowerShell with admin:

Add-MpPreference -ExclusionPath "C:\Program Files\ExplorerPatcher"
Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"
Add-MpPreference -ExclusionPath "C:\Windows\dxgi.dll"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy"
Add-MpPreference -ExclusionPath "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy"

Microsoft does not like EP anymore, seems like. It's understandable since they've been removing legacy stuff which EP resurrects. Adding to exclusions or compiling your own EP seems to be the only way now.

This does not work, I get errors for all lines as follows:

Add-MpPreference : Operation failed with the following error: 0x%1!x!
At line:1 char:1

• Add-MpPreference -ExclusionPath "$env:APPDATA\ExplorerPatcher"

•   + CategoryInfo          : NotSpecified: (MSFT_MpPreference:root\Microsoft\...FT_MpPreference) [Add-MpPreference],
   CimException
    + FullyQualifiedErrorId : HRESULT 0xc0000142,Add-MpPreference
  

And the same for all other lines

[pyrates999]

The powershell script must run with elevated privileges.

[Shane32]

Have any devs attempted to communicate with Microsoft via https://www.microsoft.com/en-us/wdsi/filesubmission or reviewed the criteria for classification as PUA to see if perhaps some additional notices during installation are all that is necessary (see https://learn.microsoft.com/en-us/defender-xdr/criteria ). I sorta doubt that the feedback hub will do anything. Just wondering...

[Amrsatrio]

Yes Valinet did.

#3670 (comment)

[MonoxideXZ]

GUYS BE CAREFUL EXPLORER PATCHER IS A GAME HACK!!!!!!!!11!!!! (joke)