[Bug]: Defender falsely marks scripts including text "privacy.sexy" as malicious #421
Labels
Comments
undergroundwires
added
bug
Repository owner
deleted a comment from
yiweifengyan
Aug 27, 2024
undergroundwires
added a commit
that referenced
this issue
Aug 28, 2024
Refactor Windows scripts to run as TrustedInstaller using PowerShell instead of batch files. This improves code reuse and enables more complex logic for system modifications. Key changes: - Add function to run any PowerShell script as TrustedInstaller - Refactor existing functions to use new TrustedInstaller capability - Enable soft deletion of protected registry keys and files (#412). - Resolve issues with renaming Defender files (#128). Other supporting changes: - Enhance service disabling to handle dependent services - Use base64 encoding of 'privacy.sexy' to avoid Defender alerts (#421). - Add comments to generated code for better documentation
undergroundwires
added a commit
that referenced
this issue
Aug 28, 2024
Refactor Windows scripts to run as TrustedInstaller using PowerShell instead of batch files. This improves code reuse and enables more complex logic for system modifications. Key changes: - Add function to run any PowerShell script as TrustedInstaller - Refactor existing functions to use new TrustedInstaller capability - Enable soft deletion of protected registry keys and files (#412). - Resolve issues with renaming Defender files (#128). Other supporting changes: - Enhance service disabling to handle dependent services - Use base64 encoding of 'privacy.sexy' to avoid Defender alerts (#421). - Add comments to generated code for better documentation
|
Try checking this |
|
I tried to simplify the code and got no false positives. $commandToExecute = 'echo Hello world'
$trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464')
$trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount])
$tempBatchFile = New-TemporaryFile
$tempOutputFile = New-TemporaryFile
try {
$tempBatchFile = Rename-Item $tempBatchFile -NewName "$($tempBatchFile.BaseName).bat" -PassThru
"@echo off
$commandToExecute
exit 0" | Out-File $tempBatchFile -Encoding ASCII
$taskName = 'privacy.sexy'
schtasks.exe /delete /tn "$taskName" /f 2>&1 | Out-Null
$taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument "cmd /c ""$tempBatchFile"" > $tempOutputFile 2>&1"
$taskSettings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $taskSettings -Force -ErrorAction Stop | Out-Null
try {
$scheduleService = New-Object -ComObject Schedule.Service
$scheduleService.Connect()
$scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null
$timeOutLimit = (Get-Date).AddMinutes(5)
Write-Host "Running as $trustedInstallerName"
while ((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) {
Start-Sleep -Milliseconds 200
if ((Get-Date) -gt $timeOutLimit) {
Write-Warning "Skipping results, it took too long to execute the script."
break
}
}
$taskResult = (Get-ScheduledTaskInfo $taskName).LastTaskResult
if ($taskResult -ne 0) {
Write-Error "Failed to execute with exit code: $taskResult"
}
} finally {
schtasks.exe /delete /tn "$taskName" /f
}
Get-Content $tempOutputFile
} finally {
Remove-Item $tempOutputFile, $tempBatchFile
}
I think you saw this (Just Saying) |
|
Also, There’s no need to be surprised by this. AME Wizard, also known as Ameliorated Wizard, is a tool for modifying Windows. We can configure AME Wizard using Playbooks, a modular extension format that uses simple YAML instructions. Verifying your Playbook can help us establish a trusted user base.
Altering System = FP in Windows Defender Reference:Atlas OS (Another optimized Windows modification) |
undergroundwires
added a commit
that referenced
this issue
Sep 24, 2024
Previously, all logic was duplicated (such as disabling a service or setting registry value) with one TrustedInstaller (batchfile) version and one PowerShell version. This commit changes privacy.sexy scripts that runs as TrustedInstaller to be PowerShell scripts instead of batchscripts. This increases code-reuse with other existing functions and scripting more complex logic. It also introduces a new function to be able to run any PowerShell as TrustedInstaller and refactor existing functions to be reused with this function. - Instead of running batch scripts, add ability to run PowerShell as TrustedInstaller. - Introduce new shared function to allow any PowerShell optionally as TrustedInstaller. - Refactor running as PowerShell to reduce code duplication. Other supporting changes: - Improve `DisableServiceInRegistry` to incorprate waiting for dependent services to stop, add better log messages and refactor its code. - Use Base64 encoded version of `privacy.sexy` as it causes malware errors to resolve #421 - Add comments in generated code for disabling services and setting registry value to better document the code.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
and others
Description
Defender team added word "privacy.sexy" as virus signature...
I'm surprised by this.
Pasting scripts in command line gives this:
Or leads to Defender alert:
Trojan:PowerShell\MpTamperPShell.HFsevere threat.If I change the word privacy.sexy to "not sexy" it works without issues.
Script outputs "Hello world" with word
privacy.sexyin it (leads to malware alert):PowerShell -ExecutionPolicy Unrestricted -Command "$command = 'echo Hello world'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try { $batchFile = Rename-Item $batchFile "^""$($batchFile.BaseName).bat"^"" -PassThru; "^""@echo off`r`n$command`r`nexit 0"^"" | Out-File $batchFile -Encoding ASCII; $taskName = 'privacy.sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument "^""cmd /c `"^""$batchFile`"^"" > $streamOutFile 2>&1"^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host "^""Running as $trustedInstallerName"^""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) { Write-Warning "^""Skipping results, it took so long to execute script."^""; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed to execute with exit code: $result."^""; }; } finally { schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally { Remove-Item $streamOutFile, $batchFile; }"Script outputs "Hello world" with word
not sexyin it (does not lead to any alert):PowerShell -ExecutionPolicy Unrestricted -Command "$command = 'echo Hello world'; $trustedInstallerSid = [System.Security.Principal.SecurityIdentifier]::new('S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464'); $trustedInstallerName = $trustedInstallerSid.Translate([System.Security.Principal.NTAccount]); $streamOutFile = New-TemporaryFile; $batchFile = New-TemporaryFile; try { $batchFile = Rename-Item $batchFile "^""$($batchFile.BaseName).bat"^"" -PassThru; "^""@echo off`r`n$command`r`nexit 0"^"" | Out-File $batchFile -Encoding ASCII; $taskName = 'not sexy invoke'; schtasks.exe /delete /tn "^""$taskName"^"" /f 2>&1 | Out-Null <# Clean if something went wrong before, suppress any output #>; $taskAction = New-ScheduledTaskAction -Execute 'cmd.exe' -Argument "^""cmd /c `"^""$batchFile`"^"" > $streamOutFile 2>&1"^""; $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries; Register-ScheduledTask -TaskName $taskName -Action $taskAction -Settings $settings -Force -ErrorAction Stop | Out-Null; try { ($scheduleService = New-Object -ComObject Schedule.Service).Connect(); $scheduleService.GetFolder('\').GetTask($taskName).RunEx($null, 0, 0, $trustedInstallerName) | Out-Null; $timeOutLimit = (Get-Date).AddMinutes(5); Write-Host "^""Running as $trustedInstallerName"^""; while((Get-ScheduledTaskInfo $taskName).LastTaskResult -eq 267009) { Start-Sleep -Milliseconds 200; if((Get-Date) -gt $timeOutLimit) { Write-Warning "^""Skipping results, it took so long to execute script."^""; break; }; }; if (($result = (Get-ScheduledTaskInfo $taskName).LastTaskResult) -ne 0) { Write-Error "^""Failed to execute with exit code: $result."^""; }; } finally { schtasks.exe /delete /tn "^""$taskName"^"" /f | Out-Null <# Outputs only errors #>; }; Get-Content $streamOutFile; } finally { Remove-Item $streamOutFile, $batchFile; }"I'm not sure how to solve this.
Should I just remove the name privacy.sexy? Why play a cat-mouse game?
I do not want to try to evade antivirus detection, but going for the name of privacy.sexy to mark something as suspicious is very poor way to handle things for a security softwa<re.
How can the bug be recreated?
Paste the scripts in the description in terminal or create bat file with it.
Operating system
Windows 11 Pro 23H2
Script file
Affecting scripts with privacy.sexy word in it.
Screenshots
Terminal error:
Defender warning:
Additional information
See #296 (comment) as official privacy.sexy response to Defender alerts.
Defender version
```txt PS C:\Users\undergroundwires> Get-MpComputerStatusAMEngineVersion : 1.1.24070.3
AMProductVersion : 4.18.2201.11
AMRunningMode : Normal
AMServiceEnabled : True
AMServiceVersion : 4.18.2201.11
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 8/27/2024 3:44:08 AM
AntispywareSignatureVersion : 1.417.340.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 8/27/2024 3:44:07 AM
AntivirusSignatureVersion : 1.417.340.0
BehaviorMonitorEnabled : True
ComputerID : 1C277694-7969-40B5-A1CD-9066EB56DE4F
ComputerState : 0
DeviceControlDefaultEnforcement : N/A
DeviceControlPoliciesLastUpdated : 8/27/2024 7:16:28 AM
DeviceControlState : N/A
FullScanAge : 4294967295
FullScanEndTime :
FullScanStartTime :
IoavProtectionEnabled : True
IsTamperProtected : True
IsVirtualMachine : True
LastFullScanSource : 0
LastQuickScanSource : 0
NISEnabled : True
NISEngineVersion : 1.1.24070.3
NISSignatureAge : 0
NISSignatureLastUpdated : 8/27/2024 3:44:07 AM
NISSignatureVersion : 1.417.340.0
OnAccessProtectionEnabled : True
QuickScanAge : 4294967295
QuickScanEndTime :
QuickScanStartTime :
RealTimeProtectionEnabled : True
RealTimeScanDirection : 0
TamperProtectionSource : Signatures
TDTMode : N/A
TDTStatus : N/A
TDTTelemetry : N/A
PSComputerName :
The text was updated successfully, but these errors were encountered: