You have a sha miss, which means the installer has been compromised, presumably on a CDN. Why haven’t you removed the installer?
2 Likes
Not trying to be rude, just honestly asking for the sake of myself and others who probably know very little about software development and publishing, virus creation and virus protection:
what makes you so certain that the installer is compromised?
- What is an “SHU miss”?
- What is “BackDoor:Win32/Bladabindi!ml”
- From what field of experience, education, or source documentation do you make these claims.
Once again, this is being asked from ignorance, but I asked these things because:
- No one wants their stuff hacked.
Yet…
- No one wants to wait on installing bug fixes just because some guy says it’s dangerous. You may have read an article about viruses and think you know what you’re talking about, and are sharing misguided opinions on the matter. You may even be a troll.
With such a claim, it may be helpful for the community if you would follow up the claim with some strong evidence so we can make informed decisions, or not warn us at all; we have no idea if you know what you’re talking about.
2 Likes
I get the same message, but with another file being quarantined.
I uploaded the file to virustotal.com and it didn’t generate a warning.
What’s up with this? I can’t recall this being an issue previously.
I write software for a living specialising in security for large financial companies for over 20 years. I know what I’m talking about.
1 Like
That’s the kinda stuff we want to hear. Thanks!
In my humble opinion - I’m not a programmer or security expert …
During the installation the installer extracting the file to temporally location, then - because MS Defender “think” there is backdoor, removing this file from that location. Obviously the installer can not check MD5 of the missing file. Soo, not the MD5 miss , but the entirely file is missing.
I think there is a huge difference of
“MD5 checksum failed”
versus:
“MD5 check failed ”
That is one possible and admittedly lilely answer. However, couple that with the visual bugs of the installer itself, and the very low probability of it being a false positive. The answer is not to disable your anti virus software. The answer is remove the update. Fix the issue, even if it’s to identify why it might be a false positive, and change the code.
4 Likes
I have to agree with you, but only with the small modification above. 
For what its worth, I tried submitting the installer for review as a false positive after receiving the same detection as erlend.itland.FS - Trojan:Win32/Casdet!rfn.
Due to the size of the installer archive it looks like Microsoft wont review the file.
Why does this only happen for some of the windows users and not all? I installed it with no warnings etc as have many others. (my windows 10 install is up to date)
1 Like
The installer executable is not the file that is getting quarantined.
It is the "SketchUp 2023.msi" file that is extracted to path:
"%LocalAppData%/Downloaded Installations/{03CB7BC4-3C9C-452B-BFD7-1C3616BE96BD}"
1 Like
Yeah, you’re right I did think that as soon as I’d posted. Think I’ll stick with the web version for the time being until there is an official update.
VirusTotal report from the detected .msi: https://www.virustotal.com/gui/file/fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a/details
Though there are no detections in the file itself, there are three bundled files and one dropped file that do have one VT vendor detection each (check the details tab):
Skp2VRML.DLL - signed (Jiangmin detects as Trojan.Generic.glofj)
MSI61DE.tmp - signed (SecureAge detects as Malicious)
an unnamed, unsigned CAB file (Jiangmin detects as Trojan.Generic.glofj)
ISRegSvr.dll - unsigned (SecureAge detects as Malicious)
This is likely what is driving Defender to quarantine the .msi during the install. It is incumbent upon SketchUp to resolve these issues with Microsoft if they are false positive detections. You should take any AntiVirus detection seriously. It is not impossible for genuine software distribution channels to be compromised by external parties (remember Solarwinds?). Until this is resolved, we cannot allow this on our network, and you should exercise extreme caution when considering your options.
3 Likes
@Mark @travis1 @colin @WebHorst
What is happening with your false positive submission to Microsoft please?
Windows Defender is still detecting SketchUp 2023.msi as Trojan:Win32/Casdet!rfn
We are showing the SHA256 hash: fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a
Can you compare this with the hash value that you have from a local copy of the file from the Dev team to ensure that the file hasn’t been tampered with between publishing and delivery?
We have registered users that rely on this software, but are prohibited from installing the latest version due to this detection. Please keep us updated here. If it is a false positive, please indicate what Windows security definitions update package will resolve this once you have been informed by Microsoft (they should tell you once they have verified it as a false positive).
1 Like
We will get back to you shortly. Thanks for raising this up again.
I will leave Travis to answer your main points.
For the interest of other people who hit this issue, I hit it yesterday as well. I found that I only needed to turn off Real-time protection, in Virus & threat protection settings, just long enough for the SketchUp installer to run. Then I turned it back on again. I know that’s still unfortunate, but it felt safer than turning off all protection.
We are reaching out to NotAnEndUser1 directly.
@NotAnEndUser1 – We have confirmed that the SHA256 hash of our internal development version matches your hash value.
Specifically, on a Virtual Machine I installed SketchUp using our development version of the installer that became the 2023.0.1 released version, and then examined the “…\AppData\Local\Downloaded Installations*\SketchUp 2023.msi” file. Its SHA256 hash matches yours:
{
‘SketchUp 2023-DevBuild124onCleanVM.msi’: ‘fce31ed1db5688197aa911e0f3a2442c665c727911968d34611dec06f22ee29a’,
}
That .msi file was then submitted for analysis to VirusTotal, which also confirmed the hash and returned a result saying “No security vendors and no sandboxes flagged this file as malicious”
The SHA you are seeing is our 2023 RC0 installation, so is a valid SHA.
We have provided our files to Microsoft Security Intelligence to scan for false positives. The scans are showing no detections. We are attempting to escalate this to MSFT directly. The online scans are scanning with definitions 1.385.793.0. Can you confirm which Defender version (10, 11 or Smart Screen) and definition is detecting the installer’s MSI. We can pass this information along to MS.
@Mark @travis1 @colin @WebHorst
It’s Microsoft Defender on Windows 10 that is detecting it on our end
It has been detected as two different threat types (a trojan and a backdoor) during separate incidents
I have attached screenshots (if they upload correctly)
As you have confirmed the hash match to the Dev version, I will allow AV to be momentarily paused during install of the software. It is interesting that there are no VT vendors that detect it. I am sure that the issue is with the unpacked files I detailed above which each have 1 detection in VT. Please keep us updated when Microsoft have resolved the issue. Thank you for your attentive response.