Windows Server 2019 sees nc.exe as a virus

[claudiubelu]

Trying to use this nc.exe on a Windows Server 2019 node yields the following output:

wget https://github.com/diegocr/netcat/raw/master/nc.exe -OutFile nc.exe
.\nc.exe --help
Program 'nc.exe' failed to run: Operation did not complete successfully because the file contains a virus or
potentially unwanted softwareAt line:1 char:1
+ .\nc.exe --help
+ ~~~~~~~~~~~~~~~.
At line:1 char:1
+ .\nc.exe --help
+ ~~~~~~~~~~~~~~~
    + FullyQualifiedErrorId : NativeCommandFailed

Strangely, this was not happening before.

[abbbhucho]

As per 2-spyware.com and Norton "nc.exe is a process which is responsible for writing to and reading from network connections by NetCat. This Computer network utility is using Transmission Control Protocol (TCP) which allows completing numerous different actions. NetCat is considered to be a back-end which can be managed by other programs or used directly. Even though TCP/IP employed by nc.exe is used for network testing, software capabilities might be abused by the cybercriminals."

thus besically nc.exe can be used as a backdoor

[porteusconf]

TL/DR: Seems likely that nc.exe and ncat.exe will always be seen by MS and AV as threat/risk on windows10/11/server. The reason seems only to be "Potentially Unwanted Behavior", perhaps related to software license defeat schemes. So issue#6 seems likely to remain open for a long time and/or be closed-won't fix.

Work-around 1. Try adding as exception.

You can try "allowing" nc.exe as an exception, but for at least one user, it seems the exception expires and the exact same unchanged nc.exe gets re-quarantined regularly, per https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/any-chance-that-quot-ncat-quot-doesn-t-get-rated-as-threat/m-p/1171947 .

So this work-around would be to add the exception, and perhaps re-lobby MS to quit re-quarantining a particular nc.exe signature. But note that MS has been flagging nc.exe as a risk since 2007, even with the "-e" option removed.

Work-around 2. Use linux.

Or if see if windows allows nc to run inside WSL or a virtual linux machine. I've not attempted yet.

Longshot: try to find out if anything we could change in nc.exe to avoid being flagged as threat.

We could try to find out from MS or AV folks if there were additional changes in addition to the removing the "-e" option that might remove a (signed?) nc.exe it from the threat list. (Does windows have any signing/approval schemes for developers, perhaps like those in macos and ios?) Some sort of sandbox possible?

BTW the nc.exe I saw quarantined for first time today was obtained by choco install netcat over a year ago. Note the choco folks do link to dozens of av detections at https://community.chocolatey.org/packages/netcat#virus and say

Moderators do not necessarily validate the safety of the underlying software, only that a package retrieves software from the official distribution point and/or validate embedded software against official distribution point (where distribution rights allow redistribution).
Chocolatey Pro provides runtime protection from possible malware.

And choco lists this github site as "Software Source":

choco info netcat
netcat 1.12 [Approved]
 Title: Netcat | Published: 8/16/2018
 Package approved by Pauby on Aug 17 2018 10:40:57.
 Package testing status: Passing on Aug 16 2018 13:06:20.
 Number of Downloads: 38750 | Downloads for this version: 38750
 Package url
 Chocolatey Package Source: n/a
 Package Checksum: 'qM4siEkryVPW2ywCFxQ5XsY/0fiP/P+lcoudF/9pyhMGS9K1QIcPfRHbGRXwC3Xai+iSXAC0SaPIL3Jv2aKDxQ==' (SHA512)
 Tags: Netcat networking windows connections TCP UDP
 Software Site: http://netcat.sourceforge.net/
 Software License: https://github.com/diegocr/netcat/blob/master/license.txt
 Software Source: https://github.com/diegocr/netcat/
 Summary: Netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP.
 Description: Netcat (often abbreviated to nc) is a computer networking utility for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.
 Release Notes: https://github.com/diegocr/netcat/blob/master/readme.txt
1 packages found.
C:\Windows\system32> ver
Microsoft Windows [Version 10.0.17763.1339]

So if this github site, in future hosted a nc.exe that was not flagged as a threat, then choco install netcat should be a safe way to install it. Some of the AV detections appear to be trojaned nc.exe payloads in some malware.

But even if nc.exe (or ncat.exe) is added to exception list, behavior based security software like crowdstrike still blocks execution of nc.exe and ncat.exe (at least on my laptop). In fact, crowdstrike blocked every solution offered at this website: https://superuser.com/questions/14501/are-there-netcat-like-tools-for-windows-which-are-not-quarantined-as-malware For example, crowdstrike blocked 2011-era ncat-static from https://nmap.org/dist/ncat-portable-5.59BETA1.zip