Windows Defender false positive
qgindi opened this issue · 3 comments
When debugging, Windows Defender detects Behavior:Win32/DefenseEvasion.A!ml and quarantines netcoredbg.exe. Tested on Windows 11 and 10.
Suggestion: Sign netcoredbg.exe with an authenticode code signing certificate. If the certificate already has good reputation, usually antivirus software is less aggressive.
I'm not sure, but signing might not help if some complicated heuristics is used in antivirus. You can add netcoredbg binary to exclusions of your antivirus.
The problem is, now I cannot simply include netcoredbg.exe with my app. Windows Defender is the mostly used AV on Windows, maybe 1/3 of computers. I would have to tell users to download it separately and make the AV exclusion. Yesterday I reported the false positive to https://www.microsoft.com/en-us/wdsi/submission and now waiting for results.
Since NetCoreDbg uses the MIT License, you could always fork the entire repo and modify it to include things such as a signed certificate. I know it might seem like a massive workaround, but if it's the only thing holding you back from releasing an app that needs the debugger packaged with it, then at least it's something you could take control over on your end. From there, you could sync your forked repo with the updates from the main NetCoreDbg repo and push the updates to your app as you see fit. Of course you would have to change the name and include a disclaimer that it is a third-party version of the original NetCoreDbg, but that's normal.