Samsung / netcoredbg

NetCoreDbg is a managed code debugger with GDB/MI, VSCode DAP and CLI interfaces for CoreCLR.
MIT License
836 stars 103 forks source link

Windows Defender false positive #156

Open qgindi opened 10 months ago

qgindi commented 10 months ago

When debugging, Windows Defender detects Behavior:Win32/DefenseEvasion.A!ml and quarantines netcoredbg.exe. Tested on Windows 11 and 10.

Suggestion: Sign netcoredbg.exe with an authenticode code signing certificate. If the certificate already has good reputation, usually antivirus software is less aggressive.

gbalykov commented 10 months ago

I'm not sure, but signing might not help if some complicated heuristics is used in antivirus. You can add netcoredbg binary to exclusions of your antivirus.

qgindi commented 10 months ago

The problem is, now I cannot simply include netcoredbg.exe with my app. Windows Defender is the mostly used AV on Windows, maybe 1/3 of computers. I would have to tell users to download it separately and make the AV exclusion. Yesterday I reported the false positive to https://www.microsoft.com/en-us/wdsi/submission and now waiting for results.

TechProofreader commented 5 months ago

Since NetCoreDbg uses the MIT License, you could always fork the entire repo and modify it to include things such as a signed certificate. I know it might seem like a massive workaround, but if it's the only thing holding you back from releasing an app that needs the debugger packaged with it, then at least it's something you could take control over on your end. From there, you could sync your forked repo with the updates from the main NetCoreDbg repo and push the updates to your app as you see fit. Of course you would have to change the name and include a disclaimer that it is a third-party version of the original NetCoreDbg, but that's normal.