tcosolutions/betterscan

Is analyzers\yara\WShell_THOR_Webshells.yar an active exploit?

carlin-q-scott opened this issue · 3 comments

Windows Defender automatically removes this file after I clone the repo, stating that it's a high risk backdoor exploit. I did not expect files in this repo to have active exploits in them. I was expecting heuristics for finding exploitable code.

The file is: analyzers\yara\WShell_THOR_Webshells.yar

@carlin-q-scott Thanks for your message. Interesting.

I completely rely here on Yara rules, which are text/binary sequences to match.

It seems like Windows Defender has a rule to match which matches the match rule :)

Those are not active exploits, just text/binary rules.

Would be helpful to know if any others also match the Windows Defender alerts.

BTW When rule file is removed, it should not affect the package, will not just scan for that specific rule.

Fortunately, it is the only file that gets flagged by WD. Thank you for assuring me that it's a rule file.

This isn't the first time that I've had WD flag a security scanner. However, in the past it has only flagged DAST tooling for me. Those obviously have active exploits in them because that's their method of detecting vulnerabilities.

@carlin-q-scott removed it not to cause alerts from Windows Defender. I can imagine some people can be surprised by this