Closed jamal-admin closed 11 months ago
Hi @jamal-admin, sometimes some antivirus may lead to false-positives. The wakatime-cli has no exploit on it.
Thanks @gandarez just part of our investigation before marking as a FP. Worth investigating if you can submit feedback to CrowdStrike to stop other users getting blocked by their Security/IT teams that don't report this.
@alanhamlett would you help on this? We need to advise CrowdStrike that wakatime-cli is not an exploit.
I've emailed their support, will update once I receive a reply.
Received a response from CrowdStrike saying they've marked the file safe, and it's not showing up as flagged by CrowdStrike anymore on virustotal scan: https://www.virustotal.com/gui/file-analysis/NWRkZTUzNTdmY2RhMjA4NDcwZGQwOTlhZTY4MDlmMzY6MTY5MjY4Mzg5NA==
Actual behavior (what went wrong):
ACTION TAKEN Process blocked
SEVERITY High
OBJECTIVE Falcon Detection Method
TACTIC & TECHNIQUE Malware via Malicious File
TECHNIQUE ID CST0001
IOA NAME PostExploit
IOA DESCRIPTION A suspicious process related to a likely malicious file was launched. Review any binaries involved as they may be related to malware.
COMMAND LINE /Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64 --today --output json --plugin "vscode/1.81.1 vscode-wakatime/24.2.1"
FILE PATH /Users/redacted user name/.wakatime/wakatime-cli-darwin-arm64
Environment: