Questions and Answers :
Bugs :
Windows Defender threat detections relating to LODA
Message board moderation
Author | Message |
---|---|
![]() Send message Joined: 11 Feb 23 Posts: 4 Credit: 2,711,824 RAC: 281 ![]() |
I have seen several threat detections from windows defender this morning relating to LODA Detected: Trojan:Win32/Commandrob.A!ml Status: Removed Details: This program is dangerous and executes commands from an attacker. Affected items: CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo C:\ProgramData\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\065\b065449.txt.gz http://api.loda-lang.org/miner/v1/oeis/b065449.txt.gz Windows Defender has removed about 45 of these. Many work units have error while computing and looking through the tasks several other users PC's have errored out on the same tasks. Anybody else seen this on their systems. Any ideas what is going on? |
Send message Joined: 9 May 22 Posts: 272 Credit: 470,087 RAC: 229 ![]() |
The curl command is part of Windows. LODA is executing it to fetch data. I checked the file b065449.txt.gz on the server and didn't find anything suspicious. |
Send message Joined: 14 May 22 Posts: 3 Credit: 4,032,624 RAC: 8,873 ![]() ![]() |
I've seen exactly the same thing. ![]() |
![]() Send message Joined: 26 May 22 Posts: 2 Credit: 235,320 RAC: 391 ![]() |
I have seen several threat detections from windows defender this morning relating to LODA I too from tonight I have had the same reports from Windows Defender 30 times and sent 5 WU error on other files: CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\168\b168692.txt.gz http://api.loda-lang.org/miner/v1/oeis/b168692.txt.gz CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\031\b031718.txt.gz http://api.loda-lang.org/miner/v1/oeis/b031718.txt.gz CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\193\b193349.txt.gz http://api.loda-lang.org/miner/v1/oeis/b193349.txt.gz CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\205\b205120.txt.gz http://api.loda-lang.org/miner/v1/oeis/b205120.txt.gz CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\107\b107078.txt.gz http://api.loda-lang.org/miner/v1/oeis/b107078.txt.gz CmdLine: C:\Windows\System32\cmd.exe /c curl -fsSLo D:\BOINC/projects/boinc.loda-lang.org_loda\oeis\b\167\b167935.txt.gz http://api.loda-lang.org/miner/v1/oeis/b167935.txt.gz Isn't there a risk that the server has been infected? |
Send message Joined: 9 May 22 Posts: 272 Credit: 470,087 RAC: 229 ![]() |
There are no indications that the server has been infected. It is very likely a false positive. You can find more background info here: https://gridinsoft.com/blogs/trojan-win32-commandrob-aml-remove/. The reason might be that it is using an unsecured connection. We will try to switch to a secure connection, but it is not clear whether this will make the alert disappear. |
Send message Joined: 9 May 22 Posts: 272 Credit: 470,087 RAC: 229 ![]() |
The new app version 250131 uses a secure connection. Please check if this problem still occurs with the new version. |
![]() Send message Joined: 11 Feb 23 Posts: 4 Credit: 2,711,824 RAC: 281 ![]() |
Tried to test new version to see if it stops the trojan warnings but all the work units just error out within 15 seconds. Looking at the workunit details there are up to 4 other machines that error out with a warning Too many errors (may have bug) example https://boinc.loda-lang.org/loda/workunit.php?wuid=8730950 |
Send message Joined: 9 May 22 Posts: 272 Credit: 470,087 RAC: 229 ![]() |
Please try resetting the project. I suspect that your project directory got corrupted due to the previous errors. |
![]() Send message Joined: 11 Feb 23 Posts: 4 Credit: 2,711,824 RAC: 281 ![]() |
Please try resetting the project. I suspect that your project directory got corrupted due to the previous errors. Thank you that fixed the error issues. The new app version 250131 uses a secure connection. Please check if this problem still occurs with the new version. I have done 50 odd workunits without any Trojan warnings, the new app version works a treat. Thank you again. |
![]() Send message Joined: 11 Feb 23 Posts: 4 Credit: 2,711,824 RAC: 281 ![]() |
Unfortunately the constant errors and threat warnings have returned, now reporting Trojan:Win32/Bearfoos.A!ml Affected items: file: C:\ProgramData\BOINC\projects\boinc.loda-lang.org_loda\loda-250131-windows.exe |
Send message Joined: 9 May 22 Posts: 272 Credit: 470,087 RAC: 229 ![]() |
This should be another false positive. See also the discussion here: https://www.reddit.com/r/cemu/comments/15s6d95/what_about_a_trojanwin32bearfoosaml/?rdt=54528. If it is acceptable for you, you can add the LODA/BOINC project folder to the exception list of Windows Defender to ignore the warning. |
![]() Send message Joined: 26 May 22 Posts: 2 Credit: 235,320 RAC: 391 ![]() |
For information, at the moment on my PC, the new application has updated, it has completed 5 WU and I have not had any warnings from Ms Defender and I have not reset the project. |
©2025 LODA Language