kit icon indicating copy to clipboard operation
kit copied to clipboard
verified publisher icon johnlindquist

ScriptKit Detected as a Virus

Open brummelte opened this issue 1 year ago • 5 comments

ScriptKit is currently being flagged as a virus by some antivirus programs. This issue wasn't present in January but seems to have surfaced recently. It is likely a false positive, but it should be addressed to avoid unnecessary alarms. According to the behavior analysis (Tab Behavior) under the "Crowdsourced Sigma Rules" section in VirusTotal, two specific detections seem to be the cause:

  1. Recon Command Output Piped to Findstr.EXE:
    This detects the execution of a potential recon command where the results are piped to findstr. The specific command in question seems to involve querying Kit.exe, which is flagged as suspicious.

    CommandLine example:
    cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Kit.exe" | %SYSTEMROOT%\System32\find.exe Kit.exe

  2. Hidden Executable In NTFS Alternate Data Stream:
    This detection identifies a hidden executable inside an NTFS Alternate Data Stream (ADS). The file associated with this detection is kit-updater\installer.exe.

    TargetFilename:
    C:\Users\george\AppData\Local\kit-updater\installer.exe

Steps to Reproduce:

  1. Download https://github.com/script-kit/app/releases/download/v2.3.0/Kit-Windows-2.3.0-x64.exe
  2. Upload the file to VirusTotal.
  3. Observe the detection as a virus.

Expected Behavior:
ScriptKit should not be flagged as malicious by antivirus software.

Actual Behavior:
Antivirus programs are detecting ScriptKit as a virus probably based on the "Crowdsourced Sigma Rules" behavior tab on VirusTotal if I understand it correctly.

Evidence:
You can view the VirusTotal detection here:
https://www.virustotal.com/gui/file/e5d8ededbb99f93daf0861d2fbb8cf6dbe8155d4f37810edddd06e3e25981d22/detection

Environment:

  • ScriptKit version: 2.3.0

brummelte avatar Sep 13 '24 15:09 brummelte

@brummelte Is this still the case with the v3 beta? No one else has reported anything...

https://github.com/script-kit/app/releases/tag/v3.1.1

johnlindquist avatar Sep 27 '24 16:09 johnlindquist

  • Kit-Windows-3.1.1-x64.exe

    • Community score: 3/57 (Bkav Pro: W32.AIDetectMalware, Ikarus: Trojan.MeterpreterSC, Google: Detected)
    • VirusTotal Report

  • Script-Kit-Windows-3.11.15-x64.exe

    • Community score: 3/57 (Bkav Pro: W32.AIDetectMalware, Ikarus: Trojan.MeterpreterSC, Google: Detected)
    • VirusTotal Report

Overall, these still appear to be false positives from a handful of antivirus engines, and most people probably don’t report it because they recognize them as such.

brummelte avatar Jan 02 '25 21:01 brummelte

@brummelte I'm not sure what to say. I've tried it on multiple windows machines without issues and no one else has reported it.

The app intentionally watches the clipboard, the keyboard, power states, and automates all sorts of things that will probably trigger virus warnings and those virus reports give me no actionable info. Maybe you see something in the reports that I can fix/resolve?

johnlindquist avatar Jan 02 '25 21:01 johnlindquist

@johnlindquist I'm running it without any issues as well, and just wanted to share the VirusTotal results.

Will look more into it at some other time, but currently can't see anything actionable either.

The CAPE Sandbox report says the following things are problematic, but I'm not sure if that helps in any way. I can't link it directly, it seems to expire. You can go to Behavior and click on "Activity Summary" -> "Full Reports" -> "CAPE Sandbox".

Signatures

Warning

  • Anomalous file deletion behavior detected (10+)
  • Resumed a thread in another process
  • Enumerates running processes
  • Expresses interest in specific running processes
  • Reads data out of its own binary image
  • Performs some HTTP requests
  • Creates RWX memory
  • Uses Windows utilities to enumerate running processes
  • Uses Windows utilities for basic functionality

Danger

  • Exhibits possible ransomware or wiper file modification behavior: overwrites_existing_files
  • Creates a hidden or system file
  • Yara detections observed in process dumps, payloads or dropped files
  • Appears to use command line obfuscation
  • Uses suspicious command line tools or Windows utilities

brummelte avatar Jan 02 '25 21:01 brummelte

Thanks, yeah, I wish they included more detail or it would allow me to justify what it's doing. The whole point of the app is to allow the user to "take control of your computer", but through their scripts. I can see why it would be worrisome from their perspective.

johnlindquist avatar Jan 02 '25 21:01 johnlindquist