Windows (10) Defender message

Hello,

I’m using Cryptomator 1.4.15 with Dokany for a while now. Today I got a message from Windows Defender about a “Backdoor:ASP/WebShell.E” in element “boot: \Device\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx” instead of a file. The windows event history shows some more details in two entries naming “Cryptomator.exe” (in German):

Windows Defender Antivirus hat Schadsoftware oder andere potenziell unerwünschte Software erkannt.
Weitere Informationen:
https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/WebShell.E&threatid=2147694140&enterprise=0
Name: Backdoor:ASP/WebShell.E
ID: 2147694140
Schweregrad: Schwerwiegend
Kategorie: Hintertür
Pfad: boot:_\Device\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Erkennungsursprung: Lokaler Computer
Erkennungstype: Konkret
Erkennungsquelle: Echtzeitschutz
Benutzer: xxxxxxxxxxxxx
Prozessname: C:\Program Files\Cryptomator\Cryptomator.exe
Sicherheitsversion: AV: 1.313.1065.0, AS: 1.313.1065.0, NIS: 1.313.1065.0
Modulversion: AM: 1.1.16900.4, NIS: 1.1.16900.4

Windows Defender Antivirus hat Maßnahmen ergriffen, um den Computer vor Schadsoftware oder anderer potenziell unerwünschter Software zu schützen.
Weitere Informationen:
https://go.microsoft.com/fwlink/?linkid=37020&name=Backdoor:ASP/WebShell.E&threatid=2147694140&enterprise=0
Name: Backdoor:ASP/WebShell.E
ID: 2147694140
Schweregrad: Schwerwiegend
Kategorie: Hintertür
Pfad: boot:_\Device\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Erkennungsursprung: Lokaler Computer
Erkennungstyp: Konkret
Erkennungsquelle: Echtzeitschutz
Benutzer: NT-AUTORITÄT\SYSTEM
Prozessname: C:\Program Files\Cryptomator\Cryptomator.exe
Aktion: Quarantäne
Aktionsstatus: No additional actions required
Fehlercode: 0x00000000
Fehlerbeschreibung: Der Vorgang wurde erfolgreich beendet.
Sicherheitsversion: AV: 1.313.1065.0, AS: 1.313.1065.0, NIS: 1.313.1065.0
Modulversion: AM: 1.1.16900.4, NIS: 1.1.16900.4

Do you have any idea what this is about? Is the “boot: \Device\Volume{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx” device some hidden device used by Dokany? There is no file in quarantine, I don’t know where Windows Defender found the Backdoor or thinks to have found one.

Thanks

No. This is the Dokany Device object for all mounted vaults. For more info about devices and device object, have a look at the Microsoft documentation.

My thoughts are, that you can’t find a file in quarantine, since the given path is not a file system path and therefore the referenced object not a file.

User @linkingpin also mentioned a Windows 10 Defender message, see First Beta of Cryptomator 1.5.0 - #25 by linkingpin. A reboot solved this problem. Please report back if this issue persists, then we need to discuss this with the dokany developers.

Thanks for your reply.

After the next reboot all is working fine as everytime before. No message from Windows Defender.

The one time with the message, the vault was also mounted successfully, maybe Windows Defender detected some false positive after/while mounting I think. At first I was worried about Defender could have deleted some file in the vault, but Google’s sync client didn’t sync anything after the initial master key file, so I think the vault should be untouched from Windows Defender.

Had the same issue but with “Backdoor:PHP/Dirtelti.SOC” this time, also found on “boot: device”. After googling a bit I found only this thread useful, since I’m also an user of cryptomator. Is there a way to find out which file exactly this was or is it more likely a false positive?