I recently downloaded the latest version of PingCastle and, as part of our routine checks, submitted it to VirusTotal for analysis. Interestingly, 15 out of 71 security vendors flagged the file as malicious.
Are you aware of this issue?
It’s likely a false positive, considering PingCastle is a legitimate tool commonly used for Active Directory security assessments. However, it’s worth noting that it is also frequently leveraged by threat actors for reconnaissance, which may explain why some vendors classify it as suspicious.
Please let me know if you have any insights or if further investigation is needed.
Hi there, you are not alone. We initially thought this was due to our implementation of Fody Weavers that started in PingCastle 3.3 but it seems something else is tripping it up.
The development team have submitted it to Microsoft for review and is actively looking through the history and previous builds to see if we can find the root cause.
From the community and GitHub we have seen that Defender appears to be classing it as a Trojan and Bit Defender was showing as a Potentially Unwanted Application (PUA).
It is worth noting that we do run Defender as a part of the build and release process and it was not detected in those stages.
I will update here when we have more information for you.
Hi again, It is still a bit of an unknown I am afraid. The engineering team have completed a thorough review of each released build since 3.2 and have not noticed any specific correlation with the detection from different vendors.
We have had no engagement from Microsoft so recently reached out to our account rep there. We also believe that we will need to reach out to the other vendors that flag it too, this will be an ongoing effort.
We are actively addressing recent antivirus detections of PingCastle. These are false positives caused by packaging and updater behaviors that resemble malware patterns. To resolve this, we are delivering changes in two stages to minimize disruption.
What We Are Doing
Packaging
Removing the changelog.txt file from the .zip package, which some AV engines misinterpret.
All release notes will now be documented directly on GitHub, with full detailed changelogs published in the Netwrix Community at community.netwrix.com.
Auto-Updater
Currently, PingCastleAutoUpdater.exe makes two calls on first run (GitHub API and release-assets.githubusercontent.com) to fetch updates, which can trigger AV detections.
We are changing this so the updater will only use the GitHub API to check the latest version, compare it with the local Pingcastle.exe, and download only when a new version is available. This streamlines the process and reduces unnecessary network calls.
Longer term, we may migrate downloads directly to Netwrix, but first we want to validate these changes.
Executable (Future Release)
We currently use Fody Costura to merge DLLs into Pingcastle.exe to keep deployment simple. However, malware authors also adopt this method, leading antivirus engines to flag executables packaged in this way.
To reduce false positives, we will remove Fody Costura and shift to a more standard file layout in a later release.
Release Plan & Next Steps
Release
Changes
Timing
3.4.2
• Packaging changes (no changelog.txt, GitHub + Netwrix Community for release notes) • Auto-updater improvements (GitHub API only, downloads only when new version available)
Coming weeks
3.5
• Removal of Fody Costura • Requires extraction before use • Pro/Enterprise: Pingcastle.exe moved into subfolder (Task Scheduler updated automatically where possible)