Cloudflared Tunnel Daemon False Positive in Windows Defender

Hey Everyone,

After doing a Windows Update, Windows Defender is falsely flagging cloudflared binary as a Trojan. I checked the Defender logs, and the definitions file for correlating data.

Here’s the Defender result:

image

That also happened after I re-downloaded a fresh copy of the daemon (cloudflared-windows-amd64.exe).

Here’s the page with the definition: Trojan:Win32/Spursint.Q!cl threat description - Microsoft Security Intelligence

It’s an old definition (circa 2018), so I’m guessing that’s why it’s a false positive.

Here’s the release notes page for the latest Windows Defender update that began triggering the behavior: Antimalware updates change log - Microsoft Security Intelligence

Importantly, that’s the second most recent Windows Defender definition update. So I updated to the latest definition (1.353.411.0), re-downloaded the file and re-scanned it manually just to check.

As expected, the most recent update didn’t do anything to un-identify the file as malicious:

image

Of note, Windows Defender kicks in and flags it when attempting to SSH into a remote machine using cloudflared as a Proxy to connect to an Argo Tunnel:

Host example.domain.com
  ProxyCommand "C:\Users\paramdeo\bin\cloudflared-windows-amd64.exe" access ssh --hostname example.domain.com
  User root
  IdentityFile "C:\Users\paramdeo\.ssh\id_example-domain-com"

So I’m guessing the networking aspect of the daemon triggers some Trojan-like pattern that Defender is picking up as the false positive.

Currently, the workaround is to have Windows Defender exclude the binary and/or the folder where it runs from.