2

Last week, I downloaded Kali Linux from the official https://www.kali.org/ website for educational purpose. I left the downloaded disc image (.iso) on my desktop. Yesterday, Windows Defender decided to run a quick scan and went through the Kali Linux .iso file. We know that anti-virus softwares usually do not like such hacking tools and consider them as threats.

So, Windows Defender reported 329 threats found (mostly Metasploit payloads), certainly all from the Kali Linux image.

I click the start recommended action button, but it seems to be stuck at the spinning wheel "removing threats".

Start recommended actions button

Here is a sample of threats that were found in the .iso file.

Found threats sample

The button "run actions" does not clear the history. If I deleted the .iso file, running another scan won't report any threats, but the history of the previous scan is still there.

Bottom list run actions button

I'm a bit worried that Windows Defender could have executed the malicious code contained on the Kali Linux .iso file on my computer because I clicked on the "run recommended actions" button without knowing exactly how it gets rid of the threats found in the disc image. Actually, the threats found could not even be deleted, is it because they are in a disc image and Windows Defender can't delete them inside the image ? Does it "copied" the malicious code on my computer ?

Now, Windows Defender always report 329 threats found, even if I deleted the Kali Linux image. How I can securely and in a clean way, clear the Windows Defender history ?

Should I consider wiping my all my hard disks and reinstall Windows to be sure there's any malicious code installed on my computer from this disc image ?

I currently found a way to clear up Windows Defender history, it consists of deleting this folder : C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service

Thought, I'm not sure if it is a clean way to do that. What do you think about ?

Configuration: Windows 10 x64, build 1903

pmbonneau
  • 161
  • 2
  • 2
  • 10
  • 3
    Why do you think that anti-virus runs the viruses it finds? – schroeder Jun 06 '20 at 19:16
  • I doubt that's the case, but since I don't know exactly how the files have been read in the disc image or how the anti-virus gets rid of the threats, I still have idea that some malicious code might have been executed somehow. Also, the administrative rights prompt when I clicked on "Show details" in the threats list scared me. – pmbonneau Jun 06 '20 at 19:33

1 Answers1

6

No, Windows Defender won't run executables inside an .iso image on "run recommended actions" (or in any other situation), and you can't infect your computer this way.

Yes, Kali Linux has plenty of malicious code on purpose, and the detections you get are surprisingly same than on this article by Lawrence Abrams: Kali Linux Now in Windows Store, but Defender Flags Its Packages as Threats!

If you take a look at one of the detected threats details, you can clearly see that some of the Metasploit components are being detected by Windows Defender when we try to install it in Kali.

While it makes sense that Windows Defender will detect these programs as HackTools, because they are, it also makes it difficult to use Kali Linux in the Windows Subsystem for Linux.

For now, if you want to install Kali and its packages, you will need to disable the real-time protection of Windows Defender, which is not always a smart thing.

Likewise, a lot of alerts will be triggered if you try and apt-get upgrade your Kali Linux on a network that has firewall level IDS/IPS or a virus protection on an HTTP proxy, as all the malicious components are upgraded over plain HTTP.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55