cloudRIG icon indicating copy to clipboard operation
cloudRIG copied to clipboard
verified publisher icon williamparry

Windows Defender false-positive against `Termination-Checker.vbs`

Open putty182 opened this issue 7 years ago • 3 comments

Bumped into this after booting up my rig today; Trojan:Script/Cloxer.A!cl

Clearly a false positive, logging it as a GH issue in case anyone else sees it and panics.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items: 
containerfile:C:\cloudRIG\Termination-Checker.vbs
file:C:\cloudRIG\Termination-Checker.vbs->(UTF-16LE)
file:C:\Windows\System32\Tasks\CloudRIGTerminationChecker
process:pid:6924,ProcessStart:131813976001945618
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0D0A5740-1631-48F7-BA56-8870BBAFA866}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CloudRIGTerminationChecker
taskscheduler:C:\Windows\System32\Tasks\CloudRIGTerminationChecker

Get more information about this item online.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

putty182 avatar Sep 14 '18 11:09 putty182

Great pick up - thanks :)

Any ideas how to get around it?

williamparry avatar Sep 14 '18 12:09 williamparry

This looks promising: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus

williamparry avatar Sep 14 '18 12:09 williamparry

You could always use my False Positive Reporter tool to request whitelisting from AV Vendors. https://github.com/BetaLeaf/False-Positive-Reporter

AetherCollective avatar Sep 14 '18 16:09 AetherCollective