Cannot download `hayabusa-win-x64.zip` on Windows 11

Yamato-Security / hayabusa

Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.

GNU General Public License v3.0

2.17k stars 189 forks source link

Cannot download `hayabusa-win-x64.zip` on Windows 11 #1389

Closed fukusuket closed 2 weeks ago

fukusuket commented 1 month ago

Describe the bug It's not actually Hayabusa's bug ... :( but the browser(Edge/Chrome) is blocking the download, so the hayabusa-2.16.0-win-x64.zip binary is currently not downloadable on Windows 11.

Step to Reproduce

Login Windows 11
Open Edge
Click link hayabusa-2.16.0-win-x64.zip

Expected behavior hayabusa-2.16.0-win-x64.zip is downloadable.

Actual behavior hayabusa-2.16.0-win-x64.zip is not downloadable as follows.

Screenshots

Environment (please complete the following information):

OS: Windows11
hayabusa version 2.6.0(not only this version)

Additional context

I can't download it in both Chrome and Edge.
But hayabusa-2.16.0-all-platforms.zip can be downloaded.

fukusuket commented 1 month ago

It may be a temporary problem, so we will see how it goes for a while.

fukusuket commented 1 month ago

I tried again today and was able to download the file with no problems, so the issue is closed.

fukusuket commented 1 month ago

It is now reproducing again... :( I'll keep an eye on it for a while longer. defender-error

yapper899 commented 1 month ago

Sorry to bother you on this but Windows Defender blocking the download Hayabusa-2.16.0-win-x64.zip or hayabusa-2.16.0-all-platforms.zip to my Windows 10 box

Since Win Defender is triggering on a different file in the win-x64 .zip file than in the all-platforms zip file, I wanted to verify that the below files should be tagged as trojan in the related .zip files before I take them out of quarantine. I didnt see anything about these files specifically in the documentation

win-x64.zip file:

Trojan:Win32/Casdet!rfn hayabusa\hayabusa-2.HWXrULIn.16.0-win-x64.zip.part

all-platforms.zip file:

Trojan:PowerShell/Fleisnam.F \hayabusa-2.16.0-all-platforms\rules\sigma\builtin\process_creation\proc_creation_win_powershell_amsi_init_failed_bypass.yml

Trojan:PowerShell/Malgent!MSR \hayabusa\hayabusa-2.16.0-all-platforms\rules\sigma\sysmon\process_creation \proc_creation_win_powershell_amsi_init_failed_bypass.yml

Thank you

YamatoSecurity commented 1 month ago

@yapper899 Thanks for letting us know. We will remove these rules from the next package until we implement encrypting of the rules in order to get around Windows Defender blocking things.

YamatoSecurity commented 1 month ago

@fukusuket @yapper899 I updated the rules that do not include the rules that cause false positives here: https://github.com/Yamato-Security/hayabusa/releases/tag/v2.16.1 Please check to see if you can download it without errors.

fukusuket commented 1 month ago

@YamatoSecurity I have verified that I can download all the zips and run the exe! :) Thank you so much!

fukusuket commented 2 weeks ago

I have confirmed that hayabusa-2.17.0-win-x64.zip can be downloaded in Widows 11 :)

YamatoSecurity commented 2 weeks ago

@fukusuket Thanks for checking! I think this was fixed after ignoring the problem rules with 2.16.1. I will close this issue for now but please re-open if you get alerts again.