Wrong Icon for "Synchronize dirs" Window sine TC Version ?

[ghisler(Author)]

Yes, I was! Unfortunately Windows Defender has deleted the icl as a false positive of "Win32.Wacatac" virus. But Virustotal finds nothing:
https://www.virustotal.com/gui/file/29def3dfcdabb9b6f66decf4efb53ed019287d074feb331b1299a4635f4913aa?nocache=1

[white]

Unfortunately Windows Defender has deleted the icl as a false positive of "Win32.Wacatac" virus.

Not confirmed.

[Sir_SiLvA]

Lister, Compare by content and Synchronize dirs always use the internal icon. They all use the exact same function to load it, so I have no idea what's going wrong in 32-bit for Synchronize dirs only.

mh... that seems to be wrong if I create an icl and use that, doesnt it?

Yes, I was! Unfortunately Windows Defender has deleted the icl as a false positive of "Win32.Wacatac" virus. But Virustotal finds nothing:
https://www.virustotal.com/gui/file/29def3dfcdabb9b6f66decf4efb53ed019287d074feb331b1299a4635f4913aa?nocache=1

Thats strange I just threw some icons together with the icl packer addon from here: http://totalcmd.net/plugring/iclread.html
And on Virustotal I get 99.9% finds nothing except M*soft says Program:Win32/Wacapew.C!ml just for that icl

anyway heres a 7z archive just with the icons so you can make the icl yourself:
https://zippysha.re/y7B2R2vdz0/tc_icons_in_correct_order_My_Icons_7z

[AntonyD]

2Sir_SiLvA
ICL - is in fact an EXE file. so very purely theoretically you could push in the virus there, along with icons)))

[Sir_SiLvA]

2Sir_SiLvA
ICL - is in fact an EXE file. so very purely theoretically you could push in the virus there, along with icons)))

you sure? An ICL file is an icon library used by Windows operating system. It contains multiple versions of the same icon saved in Dynamic Link Library (DLL) format with different resolutions and color depths

[AntonyD]

you sure?

Ok - it seems it was not worth it to describe the similarity so rudely. BUT fundamentally - these types of files have a lot of the same PE sections (like .rsrc), and if you really want to, then the ICL file slipped to you will just look like a library and show icons, but in fact be a malicious executable file. And all thanks to some fundamental similarities. Yes, there is no 1-in-1 match. But there are many overlaps.
Now, if the difference were sooooo obvious - like for example between exe & pdf files. Then it would be a different matter.

[ghisler(Author)]

Total Commander loads icon libraries with the flag LOAD_LIBRARY_AS_DATAFILE, so no code will be executed. It's strange that Windows defender still reports it as a virus the moment I load it (but not when just viewing it with F3!). I tried submitting it to Microsoft as a false positive, but it was rejected as "too many files" although it's just a single icl file...

[white]

It's strange that Windows defender still reports it as a virus the moment I load it (but not when just viewing it with F3!).

How can I test that?

[Sir_SiLvA]

mayhaps defender doesnt like 256x256 compressed Icons?
and yes its just once icl but 58 icons with some having 11 or 12 variations

[ghisler(Author)]

How can I test that?

1. Download the icl with a Web browser so it has the "Downloaded from another computer" set in properties (I don't know whether is is required).
2. Add this line to wincmd.ini:
iconlib=c:\download path\My_Icons.icl
3. Close and re-open Total Commander 32-bit.
-> I'm getting the virus warning immediately.

[white]

Not confirmed, but I did unblock the file before (I don't know if that is relevant). If I download the file again and try with the Downloaded from another computer block, it still doesn't happen.

What happens if you rightclick the file in Explorer or TC 64-bit and choose Scan with Microsoft Defender?

My current antivirus definition version:

Version Security Intelligence: 1.391.1196.0

Windows Update history:
Security-update for Microsoft Defender Antivirus - KB2267602 (versie 1.391.1196.0)

[ghisler(Author)]

It's odd, now I'm not getting it any more. Maybe they fixed it after i sent them the file...

But the icon problem in Synchronize dirs still occurs...