scan2html flagged as malware by several EDR

[LPailles]

I can't use this plugin, EDR automatically deletes exe file and reports it as a malware

[fatihtokus]

Hi @LPailles ,

Thanks for your interest. Which platform are you running this on (Windows or Linux)? This plugin is developed in GoLang, and when we release it, it generates an executable file(see in the screenshot) I would like to know if building the plugin from source code will help.

Regards, Fatih

[LPailles]

I'm using Windows I'm downloading the zip file directly from GitHub : https://github.com/fatihtokus/scan2html/releases/download/v0.3.25/scan2html_0.3.25_windows-amd64.zip

[fatihtokus]

What EDR are you using? And does it complain about any exe file or just scan2html? And does it give any reason(vulnerability etc) for that?

[LPailles]

Defender complains only with scan2html.exe. It blocks its execution and deletes the file. VirusTotal reports 2 alerts from McAfee Scanner [Ti!1934FE42C94F] and Skyhigh (SWG) [BehavesLike.Win64.PromptLock.th]

Behavior analysis report that it opens, or tries to open

C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.bat
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.cmd
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.com
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.exe
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.js
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.jse
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.msc
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.vbe
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.vbs
C:\Program Files (x86)\Common Files\Oracle\Java\java8path\trivy.wsf

https://www.virustotal.com/gui/file/1934fe42c94f4e4471eb538784048c6787692400d477b9441b5af65b0f5a1b67/detection