malxau / yori

Yori is a CMD replacement shell that supports backquotes, job control, and improves tab completion, file matching, aliases, command history, and more.
http://www.malsmith.net/yori/
MIT License
1.24k stars 31 forks source link

current version -- 2.0 is marked as infected with a trojan by Windows Defender #113

Closed ajalexei closed 1 year ago

ajalexei commented 1 year ago

Somehow the latest version of yori: yori-core-arm64.cab is marked as infected with a trojan by Windows Defender. I am pretty sure this is a false positive, however still feeling obliged to report it here.

malxau commented 1 year ago

Thanks for the report. Do you have any screenshots or logs for this detection? I scanned everything with Defender now which didn't appear to find anything.

Can you also double-confirm this is arm64 not amd64?

Arm64: https://www.virustotal.com/gui/file/7f8293b17885583193e74430a1ff743d1d1a605363180c6cb3af5a1fe43e9e4e Amd64: https://www.virustotal.com/gui/file/6ab7add993b8e9065c0997810139c3d2dbd48be9f0a1982235fbca5237302577

Do these hashes match the file contents you have?

Historically the Defender team have been fairly responsive to reports of overactive detection, but not all vendors are. It's not uncommon to see something like here where Arm64 is flagged by somebody based on a heuristic (as opposed to a thumbprint) and then that gets picked up as a kind of echo chamber.

Looking at the "relations" tab shows another AV vendor is detecting the ARM version of very trivial tools (title, cls, pause, mkdir, etc.) It makes me wonder a little what heuristic behavior malware today has (open console window, clear screen, update title, display message, wait for key press...?)

ajalexei commented 1 year ago

Thanks for a prompt reply. Apologies for not replying at once -- it was a busy week for me. I confirm it was arm64. The issue is gone and seemed to be a false positive (as I suspected from the beginning).

malxau commented 1 year ago

It seems like there's nothing actionable left here. Let me know if there are future detections (which will happen - this is an ongoing ecosystem wide problem.)