Get the Connect IQ 6.2.2 SDK

ronnievandervelden over 1 year ago

I update the sdkmanager and Windows 10 defender tells me that there is a virus in the exe.

file: connectiq-sdk-manager-windows\sdkmanager.exe

Trojan:Win32/Bearfoos.A!ml

Is this real or false alarm ?

Top Replies

1817844 over 1 year ago +1

I've experienced the same.
ronnievandervelden over 1 year ago +1

I did not have this with 6.2.1 and before.
I like to hear from Garmin if this is a treath.
ronnievandervelden over 1 year ago +1

With 6.2.2 came also a new sdkmanager.exe.
This new exe has a virus according to defender.

All Replies

FlowState over 1 year ago in reply to ronnievandervelden

For what it's worth, my SDK Manager auto-updated to 1.0.6 and I didn't get any virus warnings. This is the case on both Windows 10 and Windows 11 for me. (Windows Security is definitely enabled - it's scanning and blocking potentially harmful apps on both systems.)

I also tried downloading the sdk manager directly from the Garmin website and I didn't have any problems:

[https://developer.garmin.com/connect-iq/sdk/]

ronnievandervelden said:
If I unzip the sdk file, defender moves the executable away to a quarantaine directory.

If you're confident that the file is safe, you can unquarantine it.

In Windows 10:

- Start > Windows Security

- Virus & threat protection

- Protection history

- You'll be shown a list which contains, among other things, blocked apps - each entry will have a date/time stamp. Click on items until you find the one which corresponds to the sdk manager and unquarantine it

jim_m_58 said:
Brandon.ConnectIQ Here's how I reproduced this (win11). Pulled down the 1.0.6 zip files, extracted it to a new directory and manually ran sdkmanager.exe. I only saw the message once, and after "run anyway", it now runs with no message.

That's not a trojan/virus alert lol, and you didn't reproduce the issue that OP is talking about. If a trojan or virus was detected, the file would be quarantined or blocked, just as OP reported. That's the standard dialog that appears when you try to run an unsigned app and "SmartScreen" is enabled.

Let me guess, it looks just like this:

Read the text carefully.

Also, try downloading this malware test file hosted at the following link (not a real virus) if you want to see what Windows would actually do if you try to open a file that it thinks is a virus/trojan/malware:

[https://www.eicar.org/download-anti-malware-testfile/]

jim_m_58 said:
I really really doubt that the garmin folks have a virus in it, because, as I said I saw something similar a couple years back and it was a false positive.

Solid logic. "Last time a virus was detected in the Garmin SDK manager it was a false positive, therefore this time it must also be a false positive!" Kinda like how initially everyone was worried about bird flu, but it turned out to be no big deal, and the exact same thing happened with covid!

Because:

- no one has ever hacked into a trustworthy corporation's servers and maliciously replaced one of their files with a version that has a virus or malware. That must be why Microsoft and other companies never publish file hashes alongside downloads so that you can verify the file you download hasn't been modified from the file that was originally published.

- even more to the point, Garmin has never famously been hacked, resulting in a $10 million payout oh wait

https://www.cshub.com/attacks/articles/incident-of-the-week-garmin-pays-10-million-to-ransomware-hackers-who-rendered-systems-useless

A better argument would be that Brandon.ConnectIQ's statement above implies that it's most likely a false positive.

An even better argument would be that this false positive is only happening on some Windows 10/11 systems and not others.

A counter-argument would be: better safe than sorry. After all, isn't it a red flag that some ppl are seeing a virus alert and others aren't? is it possible that they've somehow received a different version of the file than everyone else? This is where publishing the hashes would help (although ofc, it might be possible for attackers to modify those, too. But at least we could compare hashes in the thread)

TL;DR I think it's a ridiculous argument to imply that just because you like/trust Garmin and you're on a first-name basis with the CIQ team, that it's impossible for Garmin to unwittingly serve a file that's infected with a virus. By the same argument, the ransomware attack must've been impossible, too.

jim_m_58 said:
Here's the thread from a couple years back about McAfee and the SDKmanager where there was a false report of a viruns. Sounds like it's happening now with Win10 and defender

Is there supposed to be a link to a thread here?

dpawlyk over 1 year ago

I had the same issue.

One can get false positives it’s a program that isn’t in the database.

I’ve run across this in other cases.

Brandon.ConnectIQ over 1 year ago

A follow-up on this since there's a decent discussion here—we use a few different security tools internally that did not identify SDK Manager as a virus, so there's a good amount of confidence there is no virus here. For reasons I'm not familiar with, we don't sign our Windows executable, and suspect that may be the reason this is getting flagged as potential malware.

I did some looking around, and Bearfoos seems to be a somewhat common false positive. I'd recommend scanning with other anti-malware software you may have available just to be safe.

dpawlyk over 1 year ago in reply to Brandon.ConnectIQ

Brandon.ConnectIQ said:
For reasons I'm not familiar with, we don't sign our Windows executable, and suspect that may be the reason this is getting flagged as potential malware.

No, that's not the reason it's getting flagged.

EDIT:

The OP is talking about a positive (and specific) "has a virus" message. This message has nothing to do with the executable being unsigned. (Every executable, signed or unsigned is being scanned for viruses.)

The "may have potential malware" message is something else. This message relates to the executable being unsigned. (But the OP was clearly talking about something else.)

dpawlyk over 1 year ago in reply to dpawlyk

It just worked for me now. I did not get the virus warning.

(It looks like one sometimes has to wait for MS to catch up.)

FlowState over 1 year ago in reply to dpawlyk

dpawlyk said:
Brandon.ConnectIQ said:
For reasons I'm not familiar with, we don't sign our Windows executable, and suspect that may be the reason this is getting flagged as potential malware.

No, that's not the reason it's getting flagged.

Agreed. As mentioned above, it *is* why most Windows users will get a confirmation prompt on first run (unless they change their default settings), which one person has *mistaken* as a sign that the executable was flagged as malware.

It does depend on what you mean as "flagged as potential malware" though.

if you mean: "Windows presents confirmation dialog because it thinks the file may be harmful/unwanted" then yes, it's because the executable isn't signed

If you mean: "Windows quarantines or blocks the file because it thinks the file is malware" then no, that's not why.

If someone said "flagged as potential malware", I would assume the 2nd case, especially since we're talking about the file being detected as a specific malware variant (bearfoos) and being quarantined, and the 1st case absolutely does not apply when Windows Security thinks it's identified a specific malware variant in a file.

Having said that, it seems that signing the executable would reduce potential confusion.

dpawlyk over 1 year ago in reply to FlowState

Yes, it wasn't clear.

But people appear to have ignored what the OP said.

The OP was clearly talking about a positive (and specific) "has a virus" notification.

The "may be harmful/unwanted" warning is something else (and not what the OP was talking about).

ronnievandervelden over 1 year ago

I am not home before friday. I will update the sdk this weekend and see if MS defender will not flag it as a virus.
Thanks for checking this out for me.