MS Defender blocks 'Serious threat' when running log4jscanwin
Closed this issue · 9 comments
Hello,
Your tool is triggering AV's. I tried looking through your code but could not find anything suspicious at a glance, therefor this submit.
What it finds is the following:
It says: Serious threat, blocked and removed.
Hope it helps.
Was it triggered from one of the binaries we supplied? Or did you build it yourself?
From your binary. It runs for about 25 seconds "Scanning c:" and then it comes up.
Edit: i also tried running it on a secondary system and same trigger there. Three times in a row (incase it was something else!).
Useless side note that may or may not help:
Running the scanning tool on an old XP computer (works great even on old XP !).
Avast with current signatures (20 Dec) does not detect it being a threat.
Quick feedback : I had no problem in running the program on win 10 with SentinelOne av.
I had no problems running this (1.2.17) yesterday on Win10 with Defender for Endpoints
Thanks for the tests guys. I went ahead and went a little deeper today.
However, its still detected by Microsoft Defender.
Tried running w and w/o administrator rights - tried disabling each feature of defender and the only time it was undetected is if i turn defender completely off....
I suspect the ransomware behavior detection component of Windows 11 noticed the sequential traversal of the file system as something to block. It appears our code-signing certificate isn't enough to overcome the suspicion of Windows Defenders scoring system on Windows 11.
That is rather annoying.
I am getting a similar message from Defender when running on Windows 11. It is saying the program is putting a file in the temp folder of AppData.
Symantec Endpoint Protection also blocks the tool:
