Crowdstrike antivirus flags ScreenToGif as virus
(Sorry, not sure if it´s ok to report this as a "bug")

Steps to reproduce the behavior:

1. Try to install ScreedToGif on computer with Crowdstrike

https://www.virustotal.com/gui/file/95542221c818831363148465643614273f819c08065a0870dade8ddba6edb1ad

+1

+1

I've had a few user experiencing this. Here are the details of the detection.

DETECT TIME
Dec. 17, 2023 12:48:24
HOSTNAME
computername
HOST TYPE
Workstation
USER NAME
place\user
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None

Associated File
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
GROUPING TAGS
None
LOCAL PROCESS ID
26000
COMMAND LINE
"C:\Program Files\ScreenToGif\ScreenToGif.exe"
FILE PATH
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
EXECUTABLE SHA256
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None

EXECUTABLE MD5
ce227688fe0d35e6b5381666dc1cd7db
RUN PERIOD
START TIME
Dec. 17, 2023 12:47:14
END TIME
Dec. 17, 2023 12:47:15
DURATION
Terminated

Just had a trigger with the new version

Steps to reproduce detection:

• Download ScreenToGif Portable from link at screentogif.com
  • https://github.com/NickeManarin/ScreenToGif/releases/download/2.40.1/ScreenToGif.2.40.1.Portable.x64.zip
• Extract ScreenToGif.exe
• Run ScreenToGif.exe

Metadata from Crowdstrike Detection

ACTIONS TAKEN
Process blocked
File quarantined

SEVERITY
Low

OBJECTIVE
Falcon Detection Method

TACTIC & TECHNIQUE
Malware via PUP

TECHNIQUE ID
CST0013

SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.

TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

GLOBAL PREVALENCE
Common

LOCAL PREVALENCE
Unique

IOC MANAGEMENT ACTION
None

Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe

VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection

HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6

What we did

We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe

I sent a message to the company, let's see if they give me a reply.

Same thing here. Antivirus McAfee.

I sent a message to the company, let's see if they give me a reply.

We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.

Tip: When you install through the Microsoft Store it actually works just fine... 😕 No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif 👍.

Well just as long as your company does not block MS store, too 😕.

@NickeManarin - I hope we are able to resolve this. I am impacted too.

I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?

Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.

I got this details from some other company, they got these results:

YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
 signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)

and

 "ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)

YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. 🙄

mid December that triggered the alerts?

I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.

This should no longer be a problem, as the company removed the false-positive.

@NickeManarin Nope its still flagging for me here as of May 5
Hash
aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c