Rclone 1.5.6 - Windows finds Trojan:Win32/CryptInject!MSR

Latest Windows 10 AV definitions released today for their AV software is removing rclone as thinks rclone contains Trojan:Win32/CryptInject!MSR


Redownloaded 1.5.6, when trying to extract, Windows immediately removes rclone.exe

Guessing others are seeing the same issue(?) Saw a report on reddit rclone



has not happened to me yet...

there have been a few posts here in the forum and on the internet, about hackers using rclone.

after you whitelist rclone.exe, can you post rclone version

2nd windows OS pc hasn't been hit 'yet', copied the rclone.exe from there to 1st windows OS pc and BAM, windows eats it too


after copy from pc 2 to pc 1; double click on rclone.exe on pc 1 to force windows to see it..then BAM


Had this issue just today too actually! Emailed Nick about it and he said to make a thread about it but it looks like you beat me to it.

rclone v1.56.0
- os/version: Microsoft Windows 10 Home 2009 (64 bit)
- os/kernel: 10.0.19043.1165 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.16.5
- go/linking: dynamic
- go/tags: cmount

The top-right text in this image used to say "Severe" before I did my workaround mentioned below:

My current (and terrible) workaround is to whitelist the program in Windows Defender, but I can only seem to whitelist ALL threats detected as Trojan:Win32/CryptInject!MSR. Oh dear

EDIT: This also kept happening with both my existing install of Rclone that I've had for weeks AND when I went to redownload the program again from the official website

1 Like

You may whitelist the rclone folder(directory):

  1. Go to Start > Settings > Update & Security > Windows Security > Virus & threat protection.
  2. Under Virus & threat protection settings, select Manage settings, and then under Exclusions, select Add or remove exclusions.



Please temporarily whitelist rclone in defender and post here the output of

cd c:\dir\with\rclone
.\rclone.exe sha1sum .\rclone.exe
.\rclone.exe version

So we can compare with official checksums from rclone.org

D:\r>rclone.exe sha1sum rclone.exe
c00cfb456fc6af0376fbea877b742594c443df97 rclone.exe

D:\r>rclone.exe version
rclone v1.56.0

  • os/version: Microsoft Windows 10 Enterprise 2009 (64 bit)
  • os/kernel: 10.0.19043.1165 (x86_64)
  • os/type: windows
  • os/arch: amd64
  • go/version: go1.16.5
  • go/linking: dynamic
  • go/tags: cmount

Thank you so much! That's a much better solution than the default "ignore all Trojans" setting that Defender applied.

Alright, got that here:

PS C:\Users\g> .\Documents\RCLONE\rclone.exe sha1sum .\Documents\RCLONE\rclone.exe
c00cfb456fc6af0376fbea877b742594c443df97  rclone.exe

PS C:\Users\g> .\Documents\RCLONE\rclone.exe version
rclone v1.56.0
- os/version: Microsoft Windows 10 Home 2009 (64 bit)
- os/kernel: 10.0.19043.1165 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.16.5
- go/linking: dynamic
- go/tags: cmount
1 Like

I downloaded a fresh version on my Windows 10 PC and got the same virus message so I feel pretty confident I have the binary from rclone.org.

1 Like

welcome :slight_smile:

I've been using the same for Gdrive & rclone cache folders; no reason for windows to scan cached files :slight_smile:

FBI - Indicators of Compromise Associated with OnePercent Group Ransomware

Rclone is listed

Microsoft Finds / Microsoft Removes


I'm here because I too am seeing that Windows Defender has removed rclone from my machine due to "Trojan:Win32/CryptInject!MSR". I've had rclone v1.5.6 sitting in the same folder for a few weeks now and it only now got picked up. If I had to guess, it's due to a recent report from the FBI, which includes rclone in a list of applications that "support legitimate purposes, they can also be used by threat actors to aid in system compromise or exploration of a victim company’s enterprise network." It continues to then include the file hashes of the rclone executable. I would include a link to the report but I'm guessing my newbie status is what is preventing that. Google "Indicators of Compromise Associated with OnePercent Group" (with quotes) to see the FBI report.

I'm seeing very little else about this on the old interwebs so I'm guessing this is just coming out in the latest Windows Defender definition updates.

I am not a security expert, but I'm also a little worried about some of the advice given previously to use rclone.exe sha1sum to get the hash of the rclone executable. When faced with possible malware, is seems unwise to execute the very file under suspicion. It seems better to use other tools, for example:

certutil -hashfile rclone.exe

Again, not a security expert so I'd like to see other input on this advice.

In my case, I'm not whitelisting the file out of an abundance of caution, but I can verify the hash of the downloaded zip for my system:

certutil -hashfile rclone-v1.56.0-windows-amd64.zip

SHA1 hash of rclone-v1.56.0-windows-amd64.zip:

This matches what I see in the published verification sums at the rclone Github download location. Again, I can't post links so I'll just assume you can find this on your own.

1 Like

I'll also add that a workaround for this if you want to avoid Windows Defender freaking out without whitelisting files is to use a previous version of rclone. I downloaded v1.55.1 and it doesn't seem to offend the AV.

Wondering if someone at Microsoft downloaded the latest after seeing the FBI report, and assumed rclone itself was at issue vs just a tool as is powershell(also listed) and used a hash of it in MS A/V definition and thus why only latest is flagged

You can safely whitelist rclone.exe if its sha1 (use certutil or other official tool to get it) is c00cfb456fc6af0376fbea877b742594c443df97. It's the official one.

Defender may call it trojan or whatever they want. We can't change that. Let it be.

$ wget https://downloads.rclone.org/v1.56.0/rclone-v1.56.0-windows-amd64.zip
$ unzip rclone-v1.56.0-windows-amd64.zip
$ cd rclone-v1.56.0-windows-amd64
$ sha1sum rclone.exe
c00cfb456fc6af0376fbea877b742594c443df97  rclone.exe
1 Like


I remember you planned 1.56.1.
Let's have it out and see whether MS blacklists its hash too.

1 Like

Just adding: For Windows users, the most available (built-in) tool to use is PowerShell:

Start-BitsTransfer -Source https://downloads.rclone.org/v1.56.0/rclone-v1.56.0-windows-amd64.zip
Expand-Archive -Path rclone-v1.56.0-windows-amd64.zip
cd rclone-v1.56.0-windows-amd64
Get-FileHash -Algorithm SHA1 -Path rclone.exe | Select-Object -ExpandProperty Hash

The following is somewhat off-topic, but I just read the FBI Flash report and simply can’t resist sharing.

Some citations from the report:

The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.

So Windows PowerShell made it to the list too :joy:

… actors gain unauthorized access to victim networks through phishing emails with a malicious zip file attachment. The zip file includes a Microsoft Word or Excel document that contains malicious macros that allow the actors to subsequently infect the victim’s system with the banking Trojan IcedID.

… but I guess they missed Word and Excel :grin:

Here is the top of the recommended mitigations:

Yet, the list shares no hints to spot infections by IceID or CobaltStrike :thinking:

Sigh, this whole thing makes me worried about FBI and Microsoft’s capabilities to keep me free from truly malicious software :sob:

To FBI: I recommend you hire employees with a minimum of programming experience, this report is ridiculously naĂŻve.

To Microsoft: I recommend you focus on any signs of the initial infection with IceID and CobaltStrike - and please make it more advanced than just checking for IceID.exe, CobaltStrike.exe and their SHA1 hashes in the latest release. Do not solely rely on FBI, please apply your own critical thinking. I know you can do better than this.


I think you'd better add a Hindi translation :wink:


Had the same problem on 1 machine out of 3 so i got a little curious... why just 1 machine when i did a full reboot on all 3 that had the same rclone version.

got the same message on windows security but gived it a scan via eset before whitelisting the rclone folder to get it back working since the download was from rclone.org.