Crowdstrike quarantines executable GUI entrypoints upon installation on Windows

[johannesloibl]

Hey,

don't know if this is the right place, but my company recently installed Crowdstrike (yeah, that one) and it is now messing with me after switching to awesome UV.

For only some of our internal Python packages, Crowdstrike is quarantining the EXE that is created by UV (because of defined gui application entrypoints of the library), when i try installing it via uv tool install or creating a venv and installing the library using uv pip install.

Why i'm creating this issue here? Well, if i'm using pip and pipx to install, everything works fine. Maybe Crowdstrike has a problem with the uv-trampoline bootstrap code? This seems to be the only difference between executables from UV and PIPX, or am i wrong?

It seems to be only an issue for entrypoints defined in [project.gui-scripts], entrypoints from [project.scripts] are not quarantined.

UV version: uv 0.4.9 (77d278f68 2024-09-10) Windows 10

I could make a small reproducible Python project example that triggers the quarantine and attached it: cs_false_positive.zip Just unpack and execute trigger_crowdstrike.ps1. This will create a venv and install the project. Crowdstrike will then delete .venv\Scripts\hello-app.exe but ignore .venv\Scripts\hello-cli.exe.

[johannesloibl]

@ofek FYI, your PyApps are also affected by this (UV + GUI), just got the confirmation of a colleague.

[zanieb]

Thanks for the report.

Did you also report this as a false-positive to Crowdstrike? I'd love to hear what they say too. We're not doing anything malicious :)

[johannesloibl]

Yes our CyberSec team is reporting it to them, but i probably don't get any information i could share with you. Since they are doing a lot of scanning based on ML models, this can take some time until they updated to model to not flag the executables anymore, if they do this at all...