Iso of 32 bit Windows 10 professional english version downloaded from Microsoft's website by using chrome's developer tools to spoof a chromeOS signature, so as to avoid using Microsoft's download tool, resulted in a Microsoft defender alert for HackTool:VBS/InfoGather!MSR. The alert appeared during creation of bootable windows to go usb through rufus. Does this make any sense to anyone?

Downloaded from here https://www.microsoft.com/en-us/software-download/windows10ISO

Specific file E:\Windows\WinSxS\x86_microsoft-windows-n..sh-helper-extension_31bf3856ad364e35_10.0.19041.746_none_3b41ed21a85c3a71\gatherNetworkInfo.vbs

Let me know if I can share any additional info.

  • 1
    I don't see a potential false positive of a proprietary product as on-topic here. Not sure what is expected as answer. Don't expect security tools to be perfect, they miss stuff (false negative) and they sometimes complain about seemingly innocent stuff (false positive). Unfortunately distinguishing between good and bad is really hard. – Steffen Ullrich Dec 17 '21 at 20:17
  • That's a VBS script designed to gather network info. It's perfectly valid that that would get flagged. It's fine, but also valid that it gets flagged. – schroeder Dec 19 '21 at 09:39

1 Answers1


The best way to verify whether the image is legitimate is to check the SHA-256 hash of the ISO as provided by Microsoft's download site. Whenever a website provides a strong cryptographic hash or strong digital signature, it's prudent to check it to be sure that the data you've gotten is the data that the vendor provided.

Assuming that the hashes match, there are a couple of possibilities, in rough likelihood of occurrence:

  • This is a false positive, and Defender is flagging it falsely.
  • Your system has been compromised and the file, while correct in the ISO, has been modified on your system by malware.
  • Microsoft's download site has been compromised and both the hash and ISO have been tampered with.

If the hashes do not match, then the only safe thing to assume is that the data has been modified by an unauthorized party, and you should avoid using the data and report it to Microsoft (as the vendor).

If you're unsure about how to check the hash, you can use sha256sum on the file from a WSL or Git Bash environment, and I believe PowerShell also provides a way to verify this.

  • 7,828
  • 16
  • 15