Microsoft 365 Defender

[FaffyBucket]

Hello, I am a sys admin in a small business and I have had Windhawk installed on my PC for a few months. Today I have received multiple Microsoft Defender alerts all due to windhawk.exe. The alert description is:

"A process abnormally injected code into another process, As a result, unexpected code may be running in the target process memory. Injection is often used to hide malicious code execution within a trusted process. As a result, the target process may exhibit abnormal behaviors such as opening a listening port or connecting to a command and control server."

By the way I don't have any active mods at the moment, and it's been about a month since I turned off all mods. I am running Windhawk v1.2.

[FaffyBucket]

I just noticed that some of the alerts are for a separate reason. This is the other alert triggered by windhawk.exe:

"User keystrokes have been observed being monitored on the device. Various programs and applications monitor keystrokes to perform specific tasks when specific keys or words are typed using the keyboard. Attackers can leverage this capability to steal sensitive information from an organization.

This alert has a medium severity because while it captures keystroke monitoring, it doesn't necessarily mean that actual keylogging also occurred."

[m417z]

Hi,

Regarding the first notice, it's correct. By default, Windhawk injects its module into all running processes, even if no mods are used. For details, see the following discussion thread: https://github.com/ramensoftware/windhawk/discussions/21.

Regarding the second notice, it's absolutely false. Windhawk doesn't do anything related to keystroke monitoring. I'm not sure why Windhawk triggered that detection in Defender, but it's most certainly a false positive. As a customer, you might want to contact the Defender support and ask for a clarification.

[FaffyBucket]

I think the mod I have installed (Taskbar Volume Control) is the cause of the second notice. It is triggered by scrolling the mousewheel over the Taskbar, which is a keystroke.

[FaffyBucket]

I am going to close this issue. I'm not even using Windhawk anymore as the one mod I was using hasn't been working. So I'm just going to uninstall Windhawk; there doesn't need to be any further action for my usage.

The purpose of opening this issue was really to let you guys know that Microsoft Defender has started to flag Windhawk as suspicous.

[m417z]

A follow-up regarding the Taskbar Volume Control mod: I made some improvements and released a new version. The mod no longer uses a global mouse hook, which improves the mod and should probably also solve the Defender alert.