Latest release flagged in VirusTotal
curtisk opened this issue · 2 comments
Hey @curtisk
This is likely due to the event logs in the "evtx_attack_samples" directory. These are event logs (cloned from https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES) that contain examples of real attacks, and the AV's that are triggering above are likely just looking for simple string matches for 'known bad' strings. E.g. if you search the event logs for the string "mimikatz" you're going to find matches.
If I upload the chainsaw.exe seperately to VirusTotal (https://www.virustotal.com/gui/file/90a88e340271274b9bff5502c34e4669cd450fd6286625e827fb66019a9f1b6b) you can see that it's only detected by one AV engine (cynet). I can only assume they're doing some kind of hueristics which is falsely triggering on chainsaw in this case.
I don't think this is an issue that I can do anything about. As such I'm going to close this issue.
Thanks,
James
@fscc-jamesd Thanks for the follow up, I do see those samples are triggering the majority of it and it makes sense