I had a scare today. I sent my brother a C# MonoGame build of my own side project. We were testing various monitor framerates and resolutions (I have a 240 Hz Alienware laptop, and he has dual 120 Hz monitors).
He found something shocking. He couldn’t download (via Discord) because Windows Security found Trojan:Win32/Sabsik.TE.A!ml:
Sabsik is a pretty nasty virus!
Microsoft Security Intelligence:
“This threat can perform a number of actions of a malicious hacker’s choice on your PC.“
Searching for more information did not make me feel better:
“Sabsik can be instructed to download and run additional malware, and it’s possible that more malware is present. Also, it both can and does steal data and credentials (password, login info, etc.) and encrypt data on your computer, and asking for a ransom to decrypt it again, aka ransomware. It usually tries to open a backdoor too, giving the attacker remote access to your computer.“
Developers are accustomed to virus scanners finding false positives in their private developer builds. So, I ran a scan on my own machine, but was shocked that there were no results:
We were both running Windows 10. But only one of the two computers was reporting this virus from the same executable.
We tried scanning other builds, and the findings were inconsistent between them. My computer reported no issues. My brother’s computer reported Sabsik for some and not for others. Since I am not building an executable with the virus inside of it, I thought maybe it was attaching itself to it after the build from discovering the activity on this recently created file, and ignoring older builds that I had not been messing with.
I was now wondering if the virus had compromised my own machine’s ability to virus scan.
Windows Security Update Failure
We thought what could be different from the two computers, so we decided to check the Windows Security versions. They were different! Mine had updated within the hour, and my brother’s only updated 6 hours ago.
After updating both machines to the latest version:
The scan results disappeared.
A Windows Security update introduced this false positive, scaring who knows how many people out there, to be fixed hours later.
I uploaded my build to Virus Total for a meta scan, which uses several dozen virus scanners. One had a false positive for a different virus, and the rest showed no results found. None found Sabsik.