Windows Defender Advanced Threat Protection false positive on Vivaldi components

comuki

Hi,
since last week I experience difficulties with Vivaldi being blocked by Windows Defender ATP:

I understand ATP is the enterprise version of defender. Company support won't help me because Vivaldi ist not on the list of supported Software - though it seems to be a Defender false positive.

Anybody else experiencing this issue?

Best wishes
Peter

DoctorG

@comuki Vivaldi was blocked in Defender by your company's administrator.
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=EUS:Win32/CustomEnterpriseBlock!cl

Which Vivaldi version is installed on your PC?

janrif

@comuki said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

Hi,
since last week I experience difficulties with Vivaldi being blocked by Windows Defender ATP:

I understand ATP is the enterprise version of defender. Company support won't help me because Vivaldi ist not on the list of supported Software - though it seems to be a Defender false positive.

Anybody else experiencing this issue?

Best wishes
Peter

@comuki @DoctorG Yes, I have experienced the same message and I don't have an administrator, i.e. I am on a private network. I also got a similar message using Malwarebytes & reported it. It has nothing to do with extensions. This is an important issue & developers should be notified immediately.

janrif

@DoctorG said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

@comuki Vivaldi was blocked in Defender by your company's administrator.
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=EUS:Win32/CustomEnterpriseBlock!cl

Which Vivaldi version is installed on your PC?

The latest / most current version -- both Stable & Snapshot

Vivaldi 6.0.2979.15 (Stable channel) (64-bit)
Revision 48baf1f6e9cb9f18b98a815e1ae64ed52b71222f
OS Windows 11 Version 22H2 (Build 23440.1000)

yngve

@janrif said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

developers should be notified immediately

We (Vivaldi) can't do much, if anything, about this.

False positives like this have to be reported to the AV-vendor (in this case: Microsoft and Malwarebytes, possibly company sysadmins).

Pathduck

@comuki If your Enterprise admins block unsupported software from running, there is little you can do about it. You could try convincing them to allow Vivaldi.

I have the same at my place of work, on my work laptop only supported software can run, trying to run anything not allowed will be blocked and reported to the security people. I cannot run Vivaldi there, just how it is.

DoctorG

Really strange.
Which Defender mdules versions? See Windows security → Settings → Info

I run these:
Win 11 22H2 Build 22621.1555
Defender Security App version: 1000.25305.0.1000
Security Service version: 1.0.2302.21002-0
Antimalware Client version: 4.18.2303.8
Modulversion: 1.1.20200.4
Antiviren version: 1.387.2042.0
Antispyware version: 1.387.2042.0

Sorry, i have only german Windows and i translated the terms (i hope it is correct)

Vivaldi 6.0 and 6.1 starts nice and runs.

janrif

@Pathduck said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

@comuki If your Enterprise admins block unsupported software from running, there is little you can do about it. You could try convincing them to allow Vivaldi.

I have the same at my place of work, on my work laptop only supported software can run, trying to run anything not allowed will be blocked and reported to the security people. I cannot run Vivaldi there, just how it is.

@comuki @Pathduck @DoctorG Again, I do not have an administrator as I am on private network where I am my own administrator. This situation only began after latest install after Vivaldi servers went down and were repaired.

janrif

@yngve said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

@janrif said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

developers should be notified immediately

We (Vivaldi) can't do much, if anything, about this.

False positives like this have to be reported to the AV-vendor (in this case: Microsoft and Malwarebytes, possibly company sysadmins).

@yngve This began after the latest install so something is different.

DoctorG

@janrif said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

after Vivaldi servers went down and were repaired

The download and update servers were running perfect, that has nothing to do with your issue.

DoctorG

@janrif said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

began after the latest install

False Positives depends on Microsoft Defender module updates and malware database.

I uploaded my Vivaldi 6.0 Stable to scans

• on Virustotal and got no alert
  https://www.virustotal.com/gui/file/807f03d2f3d38e2faaed7d64a1859a188d313a36a75d91098b0c4908f4e2e513/detection
• No alert on Jotti Malwarescan
  https://virusscan.jotti.org/de-DE/filescanjob/ik2r2y6t0e

janrif

@DoctorG said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

@janrif said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

began after the latest install

False Positives depends on Microsoft Defender module updates and malware database.

I uploaded my Vivaldi 6.0 Stable to scans

• on Virustotal and got no alert
  https://www.virustotal.com/gui/file/807f03d2f3d38e2faaed7d64a1859a188d313a36a75d91098b0c4908f4e2e513/detection
• No alert on Jotti Malwarescan
  https://virusscan.jotti.org/de-DE/filescanjob/ik2r2y6t0e

@DoctorG @comuki @yngve Look; you guys know much, much more than I do. I can only report what has suddenly started to occur. There are now two of us reporting the same same issue. I can assure you that nothing new has been installed on my system except Malwarebytes & I'm willing to remove it but the same thing is now being reported by Windows Defender so IMHO there is a problem that needs to be addressed.

DoctorG

@comuki @janrif I do not know why your Defender blocks. Is that a Windows Insider version? That could be the reason why MS thinks that your Vivaldi is bad software.

You should report that by Microsoft Feedback-Hub.

---

I suggest reinstall Vivaldi, download 6.0.2979.15 Stable installer exe to get the newer one.

• SHA256 sum of installer:
  2303129c25811d22fcddef033a7e64bf89de7864261d62adc89d440403f6c676 Vivaldi.6.0.2979.15.x64.exe
• SHA256 sum of vivaldi.exe
  807f03d2f3d38e2faaed7d64a1859a188d313a36a75d91098b0c4908f4e2e513 Vivaldi.exe

Check with Powershell:

PS T:\> Get-FileHash –Path T:\Vivaldi.6.0.2979.15.x64.exe –Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          2303129C25811D22FCDDEF033A7E64BF89DE7864261D62ADC89D440403F6C676       T:\Vivaldi.6.0.2979.15.x64.exe


PS T:\> Get-FileHash –Path T:\Vivaldi.exe –Algorithm SHA256

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          807F03D2F3D38E2FAAED7D64A1859A188D313A36A75D91098B0C4908F4E2E513       T:\Vivaldi.exe

---

Please, for a check

• Create checksums as i described before and tell me here which are yours

• Check Digital Signature details for vivaldi.exe and the Vivaldi.6.0.2979.15.x64.exe as described in https://www.ghacks.net/2018/04/16/how-to-verify-digital-signatures-programs-in-windows/
  Should read vivaldi.exe something like
  "Vivaldi Technologies AS"
  "‎Wednesday, ‎19. ‎April ‎2023 05:34:00"

• Upload the vivaldi.exe file to https://www.microsoft.com/en-us/wdsi/filesubmission

• Start Windows Update manually to get latest malware databases

janrif

@DoctorG What is the default location to run vivaldi.exe? I have my installation in a different folder & I want to test from default folder. TIA

DoctorG

@janrif Installation for current user? At C:\Users\YOURWINDOWSNAME\AppData\Local\Vivaldi\Application
For All Users on PC: C:\C:\Program Files\Vivaldi\

janrif

@DoctorG said in Windows Defender Advanced Threat Protection false positive on Vivaldi components:

@janrif Installation for current user? At C:\Users\YOURWINDOWSNAME\AppData\Local\Vivaldi\Application
For All Users on PC: C:\C:\Program Files\Vivaldi\

New download Installed at that location. Here is the report from Malwarebytes

DoctorG

@janrif What is this setup.exe? Where did you get it from? Which Vivaldi version number had the folder?

mib2berlin

@janrif
Hi, I download the snapshot/stable a few minutes ago, it look like:

No security messages on a fresh installed Windows 11.

Cheers, mib

iAN CooG

@janrif you can delete a setup.exe in downloads\ , it's not from Vivaldi for sure.

janrif

@iAN-CooG @comuki @DoctorG @mib2berlin @Pathduck @yngve I think I've solved the problem with the following. I deleted everything in my download folder, reset the machine, reinstall latest Vivaldi in proper folder, un-installed Malwarebytes & quarantined errant program announcement in MS Windows Defender. In addition, there was a small program which was trying to install itself on my pc called "Martose" which I deleted as well. So far, so good. Thank you all for your help. Much appreciated. Have a good day.