[plip]

I opened JD2 with no problem. All I did was check on something, I didn't download anything or even add anything to linkgrabber. After I closed JD2, and it tried to get an automatic update, that failed and Windows Defender popped up a message that there was a security alert.

I went to the Windows Defender message and it said there's a severe alert:

Quote:

Trojan:Script/Sabisk.FL.A!ml

Alert Level: Severe
Status: Active
Date 2/20/2024
Category: Trojan
Details: This program is dangerous and executes commands from an attacker.

Affected items:
file (location)\JDownloader.jar
file (location)\tmp\update\self\JDU\JDownloader.jar

I have never had Windows Defender pop up a security alert for JD2 before. I haven't had any security alert from Defender of any kind in probably several years. This very much took me by surprise.

What should I do? Was JD2 compromised in some way? Is it a false positive? Is it safe to restore the files through Windows Defender?

Malwarebytes didn't find anything wrong scanning the folder, but Defender says that affected files are quarantined so I can't check those files with Malwarebytes without restoring them.

The JD2 update failure message said it could not copy JDownloader.jar from the tmp path because of MD5 missmatch (I'm guessing that's because of it being quarantined).

When I closed the JD2 update failure message, JD2 tried to update again and triggered the severe Defender security alert again.

What is going on?

[Jiaz]

@plip: Thanks for reporting this false positive. You can search/google for "Script/Sabisk.FL.A!ml" and find that many other applications also had false positives due the signature matching some bytes in that file. You should report/flag it as false positive in Windows Defender. The file is clean and in doubt, you can just replace it with JDownloader.jar from here https://jdownloader.org/download/index (see Others) and also delete Core.jar and the folders tmp and update to let JDownloader update itself.

Quote:

Originally Posted by plip

Is it a false positive? Is it safe to restore the files through Windows Defender?

Yes and Yes.

Quote:

Originally Posted by plip

The JD2 update failure message said it could not copy JDownloader.jar from the tmp path because of MD5 missmatch (I'm guessing that's because of it being quarantined).

JDownloader wants to update its JDownloader.jar file and that's being blocked by Windows Defender.

Maybe try to exclude JDownloader folder (not the download folder!). And try to report this somewhere/somehow as false positive

[plip]

I don't see a way in Windows Defender to report a false positive unfortunately.

Or a way to allow suspected threats or folders.

But after restoring the files in Defender, it's working correctly at least. I started JD2, checked for updates, then closed it and it started the autoupdate and gave no error or Defender warning.

[pspzockerscene]

I found the place where you can report MS defender false positives:
learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/defender-endpoint-false-positives-negatives?view=o365-worldwide
-->
microsoft.com/en-us/wdsi/filesubmission/
--> Select Home Customer -> Continue -> Fill in the form accordingly

Sadly you need to be logged in into an MS account to submit false positives.