search

vmware-tanzu / cloud-suitability-analyzer

Automated, rule based source code scanning to determine cloud suitability
Other
77 stars 34 forks source link

csa.exe 4.0.0 is detected as trojan by Trellix Endpoint Security and quarantined #152

Closed sn123 closed 6 months ago

sn123 commented 11 months ago

Trellix Endpoint Security (aka McAfee Endpoint Security) ids csa.exe as Trojan and quarantines it.

Endpoint Security Version: 10.7 (mostly latest since this is cloud based)

T1204.002 Adaptive Threat Protection repaired <path>\csa.exe TargetType, because its reputation (Known Malicious) is below the configured Clean threshold.

Below is the log, in case it helps:
2023-09-27 11:40:33.213Z Activity Orchestrator mfeatp 10124 50724 RealProtect rp_native_scanner.cpp(1490) Real Protect cloud scanner will monitor process with process id 59300 , file path C:\whereamI\csa.exe
2023-09-27 11:40:35.033Z Activity Orchestrator mfeatp 10124 1796 Action post_scan_actions.cpp(861) File C:\whereamI\csa.exe with reputation 1 is detected as Known Malicious
2023-09-27 11:40:44.011Z Activity Orchestrator mfeatp 10124 1796 Action post_scan_actions.cpp(2429) Real Protect cloud found detection, detection name: Real Protect-PEFT!9BFDAA3BC074 in source process id: 59300 , source path: C:\Windows\System32\WindowsPowerShell\v1.0 , source name: powershell.exe , target path C:\whereAmI , target name: csa.exe , target hash: 9bfdaa3bc074e5f6b1a88a7d58493e1c , reputation: 1 [Known Malicious] , source user: KungfuPanda , target user: KungfuPanda , action taken: Clean , content version: 1.1 , engine version: 1.1
markusrt commented 11 months ago

@sn123 thanks for reporting this. However, in your logs I do not see any mentioning of a specific trojan just the hint about "reputation 1". This looks similar to microsoft/vscode#134288, Clever/csvlint#33, or junegunn/fzf.vim#1404

To double-check I initiated a VirusTotal scan on the latest release exe which shows that all but one AV scanner mark it correctly as secure: https://www.virustotal.com/gui/file/f17f1b290c67ea8de3e456e7eb1b3bd60a9face14534e0c02a9141328865221b

@rahulkj do you think it is possible to sign the exe to prevent false positives in the future? I also got a browser warning while downloading it due to a low file reputation.

rahulkj commented 11 months ago

@markusrt @sn123 - does this issue exist in the latest release too?

rahulkj commented 6 months ago

Closing due to inactivity