What to do when Windows Defender flags and Quarantines Reibirth After an update.

[mainsil]

Since its founding Rebirth has had bouts of conflict with Windows Defender, most recently with the Rebirth Issue 6: Dawn of Genesis has seen a spike of false positives.

You can check the validity of the flag by submitting the file to one or more of these services (there are probably more, but these are the ones I am aware of):

https://virusscan.jotti.org/
https://www.virustotal.com/gui/home/upload
https://analyze.intezer.com/scan
https://www.hybrid-analysis.com/


Depending upon your time available and risk tolerance there are two ways to fix the false positive:

• Just add an exclusion, potentially fixing the problem forever (do this at your own risk).  To do so follow instructions here: https://support.microsoft.com/en-us/windows/add-an-exclusion-to-windows-security-811816c0-4dfd-af4a-47e4-c301afe13b26
  
  
• This option is more work, but is safer and solves the issue for everyone.    Submit the offending file to https://www.microsoft.com/en-us/wdsi/filesubmission for analysis.  Microsoft will analyze and send you an email with their results and instructing you how to update the signature files.  Because they update their signature files, this will also help everyone else who downloads the update in the future.

[mainsil]

Just got another false positive Defender ping today and submitted rebirth.exe to MS.  The sandbox report from Hybrid-Analysis.com's report (link below) shows 1 malicious indicator.  Well above my knowledge level, but I think this may be what keeps triggering Defender.

The input sample contains a known anti-VM trick

details
    Found VM detection artifact "CPUID trick" in "sample.bin" (Offset: 5792427)
source
    Binary File
relevance
    5/10
ATT&CK ID
    T1497 (Show technique in the MITRE ATT&CK™ matrix)


Falcon Sandbox Report is found by clicking Bottom left green box in report here:
https://www.hybrid-analysis.com/sample/34013ba43c4ade6b882d162961a9886b296919fad75958a285fd160904140d0d