[Bug] Scoop reported as malware by Windows #5915
Comments
|
If you're encountering this, please try to submit it to https://www.microsoft.com/en-us/wdsi/filesubmission to report it a false positive. @niheaven It seems the false positive is raised because of the patch #5901 v0.3.1 92b71c6 v0.4.0/PR5901 |
|
Wow, I'll use |
|
@niheaven I would like to add that PS C:\Users\xxxxx\scoop\apps\scoop\current> git status
On branch master
Your branch is up to date with 'origin/master'.
Changes not staged for commit:
(use "git add/rm <file>..." to update what will be committed)
(use "git restore <file>..." to discard changes in working directory)
deleted: lib/autoupdate.ps1
no changes added to commit (use "git add" and/or "git commit -a")PS C:\Users\xxxxx\scoop\apps\scoop\current> scoop checkup
No problems identified!I think that update functionality being disabled due to Windows Defender would qualify as a ... rather serious problem in my opinion. |
|
Also affects new installs; here in docker making is more difficult to exclude from virus scanner. |
ghost
mentioned this issue
|
Not only Window Defender but the CrowdStrike Falcon malware scan also detected it. |
|
The v0.4.1 release is not a malware here anymore ;) |
|
v0.4.2 still appears to be effected. Running CrowdStrike Falcon here.
|
Do you have any alerts in CS? I have the same problem (and CS) but there are no detections in the console -- so I suspect this may be something else |
|
I'm not encountering the issue on 0.5.0 anymore. Previously I had to replace autoupdate.ps1 with an empty file to not have it deleted by CrowdStrike, but also satisfy scoop, to some extent. After running git reset on the local scoop repo, I'm able to use scoop as usual without CrowdStrike removing autoupdate.ps1. |
|
This happens with CarbonBlack also with |
|
I'm not sure this one is scoop's fault, but I expect there will be other people who end up here. I'm updating fzf (to 0.56.0) via scoop and I get the Wacatac strike block it here, too:
Please try again or create a new issue by using the following link and paste your console output:
|
|
|
|
In your screenshot it's fzf ( https://github.com/ScoopInstaller/Main/blob/master/bucket/fzf.json ) that was blocked, not Scoop. |
Bug Report
Current Behavior
During
scoop updateit showsWARN Uncommitted changes detected. Update aborted.This happens becauselib/autoupdate.ps1is deleted by Windows (it is reported asTrojan:Script/Wacatac.B!m).Expected Behavior
Scoop files not reported as malware. Successful Scoop update.
System details
Windows version: 11
OS architecture: 64bit
PowerShell version: 5.1.22621.2506
Scoop Configuration
{ "last_update": "2024-04-21T21:01:15.1074983+02:00", "scoop_branch": "master", "scoop_repo": "https://github.com/ScoopInstaller/Scoop" }The text was updated successfully, but these errors were encountered: