Windows Defender reports trojan found when SSL cert is saved

[earmsby]

I'm new to this forum, but did do a search of this before posting. However, i do apologize if this is answered somewhere on this forum that I didn't find in my search.

I've been using FileZilla for years and usually don't have many problems. However, today as I'm downloading some backup files from a client's website, I keep running into an issue with the "unknown certificate" message that pops up. I verify the certificate is valid (in fact I created it myself on the server for this client) and I click the box for "always trust certificate in future sessions." I've done this many times before without any problem.

However, if I do that, Windows Defender pops and tells me there is a trojan found in the file C:\Users\MY_USER_NAME\AppData\Roaming\FileZilla\trustedcerts.xml. The trojan it reports is: Script/AHCoinMiner.A

This seems like a legit trojan and something that should be removed. When I remove it, then I keep getting the pop up about unknown certificate.

Not quite sure what is going on and what I should do to resolve the issue. Any ideas?

Thanks!

[botg]

It's a false-positive. Contact your AV vendor for assistance.

[earmsby]

So, are you saying the "TrojanDownloader:Script/AHCoinMiner.A" is not a Trojan? And that I should allow it in Windows Defender? I don't have an AV Vendor, it is Windows. The "coinMiner" bit certainly does not seem trustworthy to me. A quick Google search seems to indicate that it is malware.

[boco]

Microsoft is your AV vendor.

The file trustedcerts.xml does not contain scripts that could be executed, just TLS certificates you opt to remember. If now the AV detects that file as a BC mining script, how can you expect that to be a serious and correct detection. It's like detecting Windows Ransomware in the Linux kernel...

[earmsby]

Then does it seem that there is a mining script in the certificate itself, since the trojan is found by Windows Defender every time I try to save the cert to the xml file? I actually can't find the xml file on my system so I don't know if Windows is getting rid of it when it detects the malware script.

[kld53]

Hello,

I received this warning as well today. Windows 10 Defender.

I understand what you're saying about an xml file can't contain a script.

My question is where or how did Windows come up with "the TrojanDownloader::Script/AHCoinMiner.A" if it doesn't exist.

Thank you.

[boco]

Simple: Antivirus software is not flawless by far, and detection of malware isn't an exact business, either. Actually, it's a lot of guesswork (dubbed "heuristics").

Defender will probably say something in the line of "Found possible sign of <Malware>" or "Suspected detection of <Malware>". It just guesses.


So called "False Positives" (Detection of harmless files as Malware) are actually very common. Please read: https://en.wikipedia.org/wiki/Antivirus ... positives,


If you don't mind re-checking remembered certificates, that file can simply be deleted. FileZilla will create a new one in its place.

[Gobbo]

The same problem is happening here.
Windows Defender is detecting trustedcerts.xml as "dangerous" (see attachment) and moving it into quarantine.

Therefore every connection to FPT servers (I tested around 10) will present a warning message about an unknown certificate && also a red warning "Hostname does not match certificate".

TrojanDownloader:Script/AHCoinMiner.A seems a recent addition to MS Antivirus sign, please see below:
https://www.microsoft.com/en-us/wdsi/th ... 2147729628

[botg]

You're barking up the wrong tree. It's a false-positive, you need to contact Microsoft for assistance in this matter.

[Horus_Sirius]

i have the same Error with TrojanDownloader:Script/AHCoinMiner.A false positive

https://www.microsoft.com/en-us/wdsi/th ... 2147729628

[md1989]

Have this exact same error.
Surely a false positive would be more vague, and not specific "AHCoinMiner"?

[botg]

You have stage 3 lung cancer, located in the posterior part of the upper segment of the right lobe and have no more than 3 months to live.

That's a quite specific statement, yet still a false-positive.

[flagpole]

What would a coinminer be doing in an XML file? Why not just open the file in a text editor (such as notepad,) and see?

[boco]

Not that it could ever be executed from that file...

[botg]

At least you're not using Linux, there's a few million coin miners in /dev/random alone