Crowdstrike antivirus flags ScreenToGif.dll as virus
richardsjogren opened this issue · comments
Crowdstrike antivirus flags ScreenToGif as virus
(Sorry, not sure if it´s ok to report this as a "bug")
Steps to reproduce the behavior:
- Try to install ScreedToGif on computer with Crowdstrike
https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad
+1
+1
I've had a few user experiencing this. Here are the details of the detection.
DETECT TIME
Dec. 17, 2023 12:48:24
HOSTNAME
computername
HOST TYPE
Workstation
USER NAME
place\user
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None
Associated File
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
GROUPING TAGS
None
LOCAL PROCESS ID
26000
COMMAND LINE
"C:\Program Files\ScreenToGif\ScreenToGif.exe"
FILE PATH
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
EXECUTABLE SHA256
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None
EXECUTABLE MD5
ce227688fe0d35e6b5381666dc1cd7db
RUN PERIOD
START TIME
Dec. 17, 2023 12:47:14
END TIME
Dec. 17, 2023 12:47:15
DURATION
Terminated
Just had a trigger with the new version
Steps to reproduce detection:
- Download ScreenToGif Portable from link at screentogif.com
- Extract ScreenToGif.exe
- Run ScreenToGif.exe
Metadata from Crowdstrike Detection
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Unique
IOC MANAGEMENT ACTION
None
Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe
VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection
HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
What we did
We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe
I sent a message to the company, let's see if they give me a reply.
Same thing here. Antivirus McAfee.
I sent a message to the company, let's see if they give me a reply.
We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.
Tip: When you install through the Microsoft Store it actually works just fine... 😕 No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif 👍.
Well just as long as your company does not block MS store, too 😕.
@NickeManarin - I hope we are able to resolve this. I am impacted too.
I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?
Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.
I got this details from some other company, they got these results:
YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)
and
"ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)
YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. 🙄
mid December that triggered the alerts?
I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.
This should no longer be a problem, as the company removed the false-positive.
@NickeManarin Nope its still flagging for me here as of May 5
Hash
aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c