Looking for community feedback: Addressing antivirus false positives for script files on Windows

[undergroundwires]

Problem

Recently, Microsoft Defender started flagging privacy.sexy scripts as potential threats, causing confusion and inconvenience ^{_{(#296, #299, #264)}}. It impacts both desktop and web applications, as it hinders script execution and download. I'm concerned about the growing aggressiveness of antivirus programs against system modifications. Read more about AV detection.

I plan to add explanatory messages within the application, but manual antivirus exclusions could affect usability. We need a better approach than just information.

Suggested solutions

1. Obfuscation of script files: Modify script files to avoid antivirus detection. This would require adding obfuscating support to internal compiler. It's not a big issue as batch commands are created in a very controlled way. On UI, we can have a toggle to tell the compiler to create obfuscated code.

Pros:

• Potentially bypasses detection.
• Minimal user experience impact.
• Applicable to both web and desktop versions.

Cons:

• Might be flagged as suspicious by antivirus programs.
• Requires ongoing updates.
• Could harm privacy.sexy's reputation.

2. Adding Defender exclusions: Automatically or via prompt, add Defender exclusions for scripts.

Pros:

• Directly addresses the issue with Defender.
• Once set, provides a seamless user experience.

Cons:

• This can scare off users as users might be uncomfortable changing antivirus settings.
• Only applies to Defender.
• Might be perceived as intrusive.
• Only helps desktop users, not web.

3. In-memory execution: Execute commands directly in a terminal, avoiding script file creation.

Pros:

• Bypasses file creation therefore antivirus checks.
• Retains script flexibility.

Cons:

• More complex to implement.
• Changes the user experience.
• Only helps desktop users, not web.
• Requires running the application with administrator (sudo) privileges instead of requiring it only for script execution.

Requesting feedback

• What solution would you prefer?
• Is there any other approach we could take?
• How crucial is maintaining the current user experience, like the simplicity of the "Run" button?
• If we were add automatic Defender exclusions, would you prefer a prompt that asks you "Do you want to try with exclusion" or just expect privacy.sexy to do it in the background?

Your feedback is important to navigate this while keeping that privacy.sexy a trusted and user-friendly tool.

[SnowzNZ]

Pretty sure any script that attempts to modify defender or any windows security stuff gets flagged

[undergroundwires]

That would be acceptable but but it even alerts on "Standard" selection which does not configure anything that Microsoft considers a security component at all. Probably need to separate script files for every script to run a test to exactly see what signatures/scripts its alerting on and change the code for those. It's however not a long-term viable solution as others as these signatures get more and more aggressive over time, and this way still can be categorized some kind of obfuscation to avoid signature detection.

[selivan]

I think the option 2 makes most sense.

Obfuscation of scripts look really suspicious. In-memory execution does not help web version and may be blocked by antivirus software in future.

Here is how option 2 may look on desktop:

• try writing script
• try reading it back
• if we can not read what we wrote - notify user, that AV software is probably blocking the scripts, and how they can disable that

[undergroundwires]

Thank you for the feedback @selivan. Then lets make this our first step.

Creating exception automatically for the file is good for seamless user experience, but as you say this may be considered intrusive/suspicious for users, or even lead to privacy.sexy app being detected as virus in the end.

So we go for prompting users. Script cannot be executed => Inform user.

How about also giving user options to make it easy for user to take next step:

1. Add temporary exclusion for privacy.sexy scripts (1 hours) (recommended action)
2. Add permanent exclusion for privacy.sexy scripts
3. Temporarily disable real-time defender protection (for one hour)

In the UI we can also describe that this creates security risks. On clicking of a button, privacy.sexy would ask for admin rights and do the job automatically.

In that case what option is most viable one to provide as part of the flow 1), 2) or 3)? Or is there any other option that can be better that I'm missing?

[selivan]

Happy to contribute ) Thanks for doing the job on protecting people's privacy.

Option 1 looks safer to me. Permanent exclusion of some directory creates security risks.

It's even safer to offer the user to remove the exclusion immediately when they try to close the program.

Would be nice to have some indicator, like a label in the status bar: ⚠️ Widows Defender exclusion for scripts is active.

And don't forget to give the user instructions on what directory to exclude from monitoring, if it is not Defender, but some other AV software.

[undergroundwires]

1. Write file.
2. Check if exists afterwards

Above fails to find Defender intervention.

1. Write file.
2. Read it back

It finds Defender intervention exactly as you suggested. Here's the full code that does these checks including an integrity check as tamper protection and if the script file is tampered, it rejects to run. It now shows antivirus error only if file cannot be read back, otherwise a generic error. I also added information on web UI when user downloads the file.

Thank you for this @selivan for great tips ❤️ Not only this one but also including directory path, and showing a way forward i.e. showing a button for temporary AV exclusions.

Following your feedback, I will add persistent script directory path to the error message then release a new patch. Before privacy.sexy was saving scripts in temporary directory, but I changed it to persistent %APPDATA%\privacy.sexy\runs, documented here.

[undergroundwires]

Good news 🎉. Microsoft has removed the aggressive signatures, Standard collection does no longer trigger antivirus alerts on after Defender signature update. Thank you for the cooperation Defender team ❤️!

Closing this due to:

• Web application show now instructions on how to save the file even if antivirus alerts.
• Desktop application now shows error if it detects antivirus intervention.
• Microsoft has removed the aggressive signatures, Standard is no longer triggering antivirus alert.

A follow-up issue would be to automate disabling antivirus.