Looking for community feedback: Addressing antivirus false positives for script files on Windows about privacy.sexy HOT 7 CLOSED

1. Write file.
2. Check if exists afterwards

Above fails to find Defender intervention.

1. Write file.
2. Read it back

It finds Defender intervention exactly as you suggested. Here's the full code that does these checks including an integrity check as tamper protection and if the script file is tampered, it rejects to run. It now shows antivirus error only if file cannot be read back, otherwise a generic error. I also added information on web UI when user downloads the file.

Thank you for this @selivan for great tips ❤️ Not only this one but also including directory path, and showing a way forward i.e. showing a button for temporary AV exclusions.

Following your feedback, I will add persistent script directory path to the error message then release a new patch. Before privacy.sexy was saving scripts in temporary directory, but I changed it to persistent %APPDATA%\privacy.sexy\runs, documented here.

from privacy.sexy.

Good news 🎉. Microsoft has removed the aggressive signatures, Standard collection does no longer trigger antivirus alerts on after Defender signature update. Thank you for the cooperation Defender team ❤️!

Closing this due to:

• Web application show now instructions on how to save the file even if antivirus alerts.
• Desktop application now shows error if it detects antivirus intervention.
• Microsoft has removed the aggressive signatures, Standard is no longer triggering antivirus alert.

A follow-up issue would be to automate disabling antivirus.

from privacy.sexy.

Happy to contribute ) Thanks for doing the job on protecting people's privacy.

Option 1 looks safer to me. Permanent exclusion of some directory creates security risks.

It's even safer to offer the user to remove the exclusion immediately when they try to close the program.

Would be nice to have some indicator, like a label in the status bar: ⚠️ Widows Defender exclusion for scripts is active.

And don't forget to give the user instructions on what directory to exclude from monitoring, if it is not Defender, but some other AV software.

from privacy.sexy.

Pretty sure any script that attempts to modify defender or any windows security stuff gets flagged

from privacy.sexy.

That would be acceptable but but it even alerts on "Standard" selection which does not configure anything that Microsoft considers a security component at all. Probably need to separate script files for every script to run a test to exactly see what signatures/scripts its alerting on and change the code for those. It's however not a long-term viable solution as others as these signatures get more and more aggressive over time, and this way still can be categorized some kind of obfuscation to avoid signature detection.

from privacy.sexy.

I think the option 2 makes most sense.

Obfuscation of scripts look really suspicious. In-memory execution does not help web version and may be blocked by antivirus software in future.

Here is how option 2 may look on desktop:

• try writing script
• try reading it back
• if we can not read what we wrote - notify user, that AV software is probably blocking the scripts, and how they can disable that

from privacy.sexy.

Thank you for the feedback @selivan. Then lets make this our first step.

Creating exception automatically for the file is good for seamless user experience, but as you say this may be considered intrusive/suspicious for users, or even lead to privacy.sexy app being detected as virus in the end.

So we go for prompting users. Script cannot be executed => Inform user.

How about also giving user options to make it easy for user to take next step:

1. Add temporary exclusion for privacy.sexy scripts (1 hours) (recommended action)
2. Add permanent exclusion for privacy.sexy scripts
3. Temporarily disable real-time defender protection (for one hour)

In the UI we can also describe that this creates security risks.
On clicking of a button, privacy.sexy would ask for admin rights and do the job automatically.

In that case what option is most viable one to provide as part of the flow 1), 2) or 3)? Or is there any other option that can be better that I'm missing?

from privacy.sexy.