ScriptKit Detected as a Virus

[brummelte]

ScriptKit is currently being flagged as a virus by some antivirus programs. This issue wasn't present in January but seems to have surfaced recently. It is likely a false positive, but it should be addressed to avoid unnecessary alarms. According to the behavior analysis (Tab Behavior) under the "Crowdsourced Sigma Rules" section in VirusTotal, two specific detections seem to be the cause:

1. Recon Command Output Piped to Findstr.EXE:
   This detects the execution of a potential recon command where the results are piped to findstr. The specific command in question seems to involve querying Kit.exe, which is flagged as suspicious.

   CommandLine example:
   cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Kit.exe" | %SYSTEMROOT%\System32\find.exe Kit.exe

2. Hidden Executable In NTFS Alternate Data Stream:
   This detection identifies a hidden executable inside an NTFS Alternate Data Stream (ADS). The file associated with this detection is kit-updater\installer.exe.

   TargetFilename:
   C:\Users\george\AppData\Local\kit-updater\installer.exe

Steps to Reproduce:

1. Download https://github.com/script-kit/app/releases/download/v2.3.0/Kit-Windows-2.3.0-x64.exe
2. Upload the file to VirusTotal.
3. Observe the detection as a virus.

Expected Behavior:
ScriptKit should not be flagged as malicious by antivirus software.

Actual Behavior:
Antivirus programs are detecting ScriptKit as a virus probably based on the "Crowdsourced Sigma Rules" behavior tab on VirusTotal if I understand it correctly.

Evidence:
You can view the VirusTotal detection here:
https://www.virustotal.com/gui/file/e5d8ededbb99f93daf0861d2fbb8cf6dbe8155d4f37810edddd06e3e25981d22/detection

Environment:

• ScriptKit version: 2.3.0

[johnlindquist]

@brummelte Is this still the case with the v3 beta? No one else has reported anything...

https://github.com/script-kit/app/releases/tag/v3.1.1