search

NickeManarin / ScreenToGif

๐ŸŽฌ ScreenToGif allows you to record a selected area of your screen, edit and save it as a gif or video.
http://www.screentogif.com
Microsoft Public License
23.04k stars 2.15k forks source link

Crowdstrike antivirus flags ScreenToGif.dll as virus #1264

Closed richardsjogren closed 3 months ago

richardsjogren commented 6 months ago

Crowdstrike antivirus flags ScreenToGif as virus (Sorry, not sure if itยดs ok to report this as a "bug")

Steps to reproduce the behavior:

  1. Try to install ScreedToGif on computer with Crowdstrike

https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad

Vincent-FundApps commented 6 months ago

+1

TrevisanGMW commented 6 months ago

+1

mattspierce commented 6 months ago

I've had a few user experiencing this. Here are the details of the detection.

DETECT TIME Dec. 17, 2023 12:48:24 HOSTNAME computername HOST TYPE Workstation USER NAME place\user ACTIONS TAKEN Process blocked File quarantined SEVERITY Low OBJECTIVE Falcon Detection Method TACTIC & TECHNIQUE Malware via PUP TECHNIQUE ID CST0013 SPECIFIC TO THIS DETECTION This file is classified as Adware/PUP based on its SHA256 hash. TRIGGERING INDICATOR Associated IOC (SHA256 on library/DLL loaded) ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None

Associated File \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe GROUPING TAGS None LOCAL PROCESS ID 26000 COMMAND LINE "C:\Program Files\ScreenToGif\ScreenToGif.exe" FILE PATH \Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe EXECUTABLE SHA256 ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d GLOBAL PREVALENCE Common LOCAL PREVALENCE Low IOC MANAGEMENT ACTION None

EXECUTABLE MD5 ce227688fe0d35e6b5381666dc1cd7db RUN PERIOD START TIME Dec. 17, 2023 12:47:14 END TIME Dec. 17, 2023 12:47:15 DURATION Terminated

jduke-halls commented 6 months ago

Just had a trigger with the new version

Steps to reproduce detection:

Metadata from Crowdstrike Detection

ACTIONS TAKEN
Process blocked
File quarantined

SEVERITY
Low

OBJECTIVE
Falcon Detection Method

TACTIC & TECHNIQUE
Malware via PUP

TECHNIQUE ID
CST0013

SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.

TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

GLOBAL PREVALENCE
Common

LOCAL PREVALENCE
Unique

IOC MANAGEMENT ACTION
None

Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe

VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection

HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

What we did

We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe

NickeManarin commented 5 months ago

I sent a message to the company, let's see if they give me a reply.

mcd92 commented 5 months ago

Same thing here. Antivirus McAfee.

elliottttttttt commented 5 months ago

I sent a message to the company, let's see if they give me a reply.

We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.

DavidMulder0 commented 5 months ago

Tip: When you install through the Microsoft Store it actually works just fine... ๐Ÿ˜• No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif ๐Ÿ‘.

captainhunt commented 5 months ago

Well just as long as your company does not block MS store, too ๐Ÿ˜•.

chrispy-snps commented 5 months ago

@NickeManarin - I hope we are able to resolve this. I am impacted too.

NickeManarin commented 5 months ago

image

mattspierce commented 5 months ago

I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?

mattspierce commented 5 months ago

Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.

NickeManarin commented 5 months ago

I got this details from some other company, they got these results:

YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
 signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)

and

 "ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)

YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. ๐Ÿ™„

NickeManarin commented 5 months ago

mid December that triggered the alerts?

I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.

NickeManarin commented 3 months ago

This should no longer be a problem, as the company removed the false-positive.

p1r473 commented 1 month ago

@NickeManarin Nope its still flagging for me here as of May 5 Hash aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c image