Windows Defender reports trojan found when SSL cert is saved
Moderator: Project members
-
- 500 Command not understood
- Posts: 3
- Joined: 2018-10-08 17:15
- First name: Ellie
- Last name: Armsby
Windows Defender reports trojan found when SSL cert is saved
I'm new to this forum, but did do a search of this before posting. However, i do apologize if this is answered somewhere on this forum that I didn't find in my search.
I've been using FileZilla for years and usually don't have many problems. However, today as I'm downloading some backup files from a client's website, I keep running into an issue with the "unknown certificate" message that pops up. I verify the certificate is valid (in fact I created it myself on the server for this client) and I click the box for "always trust certificate in future sessions." I've done this many times before without any problem.
However, if I do that, Windows Defender pops and tells me there is a trojan found in the file C:\Users\MY_USER_NAME\AppData\Roaming\FileZilla\trustedcerts.xml. The trojan it reports is: Script/AHCoinMiner.A
This seems like a legit trojan and something that should be removed. When I remove it, then I keep getting the pop up about unknown certificate.
Not quite sure what is going on and what I should do to resolve the issue. Any ideas?
Thanks!
I've been using FileZilla for years and usually don't have many problems. However, today as I'm downloading some backup files from a client's website, I keep running into an issue with the "unknown certificate" message that pops up. I verify the certificate is valid (in fact I created it myself on the server for this client) and I click the box for "always trust certificate in future sessions." I've done this many times before without any problem.
However, if I do that, Windows Defender pops and tells me there is a trojan found in the file C:\Users\MY_USER_NAME\AppData\Roaming\FileZilla\trustedcerts.xml. The trojan it reports is: Script/AHCoinMiner.A
This seems like a legit trojan and something that should be removed. When I remove it, then I keep getting the pop up about unknown certificate.
Not quite sure what is going on and what I should do to resolve the issue. Any ideas?
Thanks!
Re: Windows Defender reports trojan found when SSL cert is saved
It's a false-positive. Contact your AV vendor for assistance.
-
- 500 Command not understood
- Posts: 3
- Joined: 2018-10-08 17:15
- First name: Ellie
- Last name: Armsby
Re: Windows Defender reports trojan found when SSL cert is saved
So, are you saying the "TrojanDownloader:Script/AHCoinMiner.A" is not a Trojan? And that I should allow it in Windows Defender? I don't have an AV Vendor, it is Windows. The "coinMiner" bit certainly does not seem trustworthy to me. A quick Google search seems to indicate that it is malware.
Re: Windows Defender reports trojan found when SSL cert is saved
Microsoft is your AV vendor.
The file trustedcerts.xml does not contain scripts that could be executed, just TLS certificates you opt to remember. If now the AV detects that file as a BC mining script, how can you expect that to be a serious and correct detection. It's like detecting Windows Ransomware in the Linux kernel...
The file trustedcerts.xml does not contain scripts that could be executed, just TLS certificates you opt to remember. If now the AV detects that file as a BC mining script, how can you expect that to be a serious and correct detection. It's like detecting Windows Ransomware in the Linux kernel...
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
-
- 500 Command not understood
- Posts: 3
- Joined: 2018-10-08 17:15
- First name: Ellie
- Last name: Armsby
Re: Windows Defender reports trojan found when SSL cert is saved
Then does it seem that there is a mining script in the certificate itself, since the trojan is found by Windows Defender every time I try to save the cert to the xml file? I actually can't find the xml file on my system so I don't know if Windows is getting rid of it when it detects the malware script.
Re: Windows Defender reports trojan found when SSL cert is saved
Hello,
I received this warning as well today. Windows 10 Defender.
I understand what you're saying about an xml file can't contain a script.
My question is where or how did Windows come up with "the TrojanDownloader::Script/AHCoinMiner.A" if it doesn't exist.
Thank you.
I received this warning as well today. Windows 10 Defender.
I understand what you're saying about an xml file can't contain a script.
My question is where or how did Windows come up with "the TrojanDownloader::Script/AHCoinMiner.A" if it doesn't exist.
Thank you.
Re: Windows Defender reports trojan found when SSL cert is saved
Simple: Antivirus software is not flawless by far, and detection of malware isn't an exact business, either. Actually, it's a lot of guesswork (dubbed "heuristics").
Defender will probably say something in the line of "Found possible sign of <Malware>" or "Suspected detection of <Malware>". It just guesses.
So called "False Positives" (Detection of harmless files as Malware) are actually very common. Please read: https://en.wikipedia.org/wiki/Antivirus ... positives,
If you don't mind re-checking remembered certificates, that file can simply be deleted. FileZilla will create a new one in its place.
Defender will probably say something in the line of "Found possible sign of <Malware>" or "Suspected detection of <Malware>". It just guesses.
So called "False Positives" (Detection of harmless files as Malware) are actually very common. Please read: https://en.wikipedia.org/wiki/Antivirus ... positives,
If you don't mind re-checking remembered certificates, that file can simply be deleted. FileZilla will create a new one in its place.
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Windows Defender reports trojan found when SSL cert is saved
The same problem is happening here.
Windows Defender is detecting trustedcerts.xml as "dangerous" (see attachment) and moving it into quarantine.
Therefore every connection to FPT servers (I tested around 10) will present a warning message about an unknown certificate && also a red warning "Hostname does not match certificate".
TrojanDownloader:Script/AHCoinMiner.A seems a recent addition to MS Antivirus sign, please see below:
https://www.microsoft.com/en-us/wdsi/th ... 2147729628
Windows Defender is detecting trustedcerts.xml as "dangerous" (see attachment) and moving it into quarantine.
Therefore every connection to FPT servers (I tested around 10) will present a warning message about an unknown certificate && also a red warning "Hostname does not match certificate".
TrojanDownloader:Script/AHCoinMiner.A seems a recent addition to MS Antivirus sign, please see below:
https://www.microsoft.com/en-us/wdsi/th ... 2147729628
- Attachments
-
- Annotation.png (17.1 KiB) Viewed 4104 times
Re: Windows Defender reports trojan found when SSL cert is saved
You're barking up the wrong tree. It's a false-positive, you need to contact Microsoft for assistance in this matter.
-
- 500 Command not understood
- Posts: 1
- Joined: 2018-10-09 15:55
- First name: Jan
- Last name: Bludau
Re: Windows Defender reports trojan found when SSL cert is saved
i have the same Error with TrojanDownloader:Script/AHCoinMiner.A false positive
https://www.microsoft.com/en-us/wdsi/th ... 2147729628
https://www.microsoft.com/en-us/wdsi/th ... 2147729628
Re: Windows Defender reports trojan found when SSL cert is saved
Have this exact same error.
Surely a false positive would be more vague, and not specific "AHCoinMiner"?
Surely a false positive would be more vague, and not specific "AHCoinMiner"?
Re: Windows Defender reports trojan found when SSL cert is saved
You have stage 3 lung cancer, located in the posterior part of the upper segment of the right lobe and have no more than 3 months to live.
That's a quite specific statement, yet still a false-positive.
That's a quite specific statement, yet still a false-positive.
-
- 425 Can't open data connection
- Posts: 46
- Joined: 2013-07-30 14:45
- First name: nigel
- Last name: coldwell
Re: Windows Defender reports trojan found when SSL cert is saved
What would a coinminer be doing in an XML file? Why not just open the file in a text editor (such as notepad,) and see?
Re: Windows Defender reports trojan found when SSL cert is saved
Not that it could ever be executed from that file...
No support requests over PM! You will NOT get any reply!!!
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
FTP connection problems? Please read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
FileZilla Pro support: https://customerforum.fileZilla-project.org
Re: Windows Defender reports trojan found when SSL cert is saved
At least you're not using Linux, there's a few million coin miners in /dev/random alone