[Solved] Flint 2 - Windows Defender detects Virus in Firmware image?

@JerryZhao the 03-05 dated Beta firmware shows to be virus infected with a Trojan:Script called Wacatac.B!ml Yes, this could be a false positive on a compressed file. Please check though. Please load firmware not with a virus.


I think that its an isolated case. I downloaded 4.5.7 03-05 and my AV didn’t even show a false positive. Here’s a full scan also from VirusTotal:

Maybe try to check your own device? It might be a sign of something worse.

The anti-virus software scans the download. It is not scanning memory or HDD randomly. When it scans the download, it detects a trojan. So yeah, it is a problem with file openwrt-mt6000-4.5.7-0305-1709616562.bin

Can’t confirm. What AV do you use?

Are you sure that its not the AV itself that was causing a problem? Mine also scans before saving the file. I also tried manually scanning it with my AV and also with the Virus Total posted above and it all comes clean.

1 Like

For me, this sounds like a false alarm. Normally, the AV wouldn’t scan the file into the necessary deep anyway. The firmware file is a tar.gz containing a squashfs - most AV will just ignore it.

I uploaded the squashfs to Virustotal, no alarms there.

do you have 7zip or a other program to check the checksum? :slight_smile:

if you go to the download page and hover over the SHA512 it needs to match, if it isn’t then either it has been modified or something is happening on your side might be related to a trojan hijacking your connections and redirection you to malware as a chain attack.

it can also be that the type of packing has been associated with a malware family, then it is just a false positive.

though since i see no reports, neither on virustotal your case might eye more isolated but does not mean it is evil.

^ also because i noticed another router in a different topic, im just holding off a little, checksums are not a fix for everything, but for automated attacks they are, but in case of compromise, no. they can put a new sha512 there too.

MS Windows security. If I bypass, and scan the file, I get the same result.

Could you please upload this file to some filesharing website and share the link with me by PM?

Did you downloaded from GL website? Does match sha256?

Malware in the Amazon box, malware in the firmware image. Nurgh God somebody hold me

1 Like


1 Like

I get the threat warning immediately after starting the download. I have to click through to get it to download because the malware warning comes immediately. No other version of the firmware has done this. So basically, you just need to download the 03.05 file. If you don’t get a malware warning, you could be running a different anti-virus SW or earlier anti-virus signatures.

This doesn’t male sense at all. The detected treat is a HTML „virus“ for Windows, that’s why it does not make sense it is included in a linux firmware. And as I said no virus was detected by ANY AV.

In my opinion the issue is on your site. Maybe your connection or device is tampered. In that case you should download the file (by ignoring the warning) and let us check it to get more details.

Nothing detected here, with Defender or Malwarebytes.

Same here, i checked with Eset Nod32 & Windows Defender. Uploading the extracted root files as a zip to virustotal also didn’t reveal any viruses.

1 Like

I have the same problem, strange though because with previous firmwares I never had any reports.
The AV is the same, Microsoft Defender, I’m also leaning towards a false positive, but it is indeed strange that it is only there for 4.5.7 beta version

The internet is full of reports about false positive about Wacatac.B!ml for entirely different programs that are not infected in any way.

So please disregard this message and update your antivirus patterns.

1 Like

I believe does not match sha256. Someone renamed