lnav icon indicating copy to clipboard operation
lnav copied to clipboard
verified publisher icon tstack

Potential threat in Windows Release Archive?

Open JoernMueller opened this issue 5 months ago • 3 comments

lnav version v0.13.1

Describe the bug Just wanting to raise awareness that Windows Defender recognizes the archives content of lnav-0.13.1-windows-x86_64.zip as Script/Wacapew.A!ml As I wouldn´t expect this project is trying to spread malware, you might want to check if there is some sort scripting or techniques included that could make it look potentially suspicious to the AV heuristics.

To Reproduce

  • Download the archive on a Win11 x64 system where MS Defender is running.
  • Try to open/unpack the archive.
  • Observe Defender intercepting this operation

I did not check any other releases than 0.13.1.

JoernMueller avatar Sep 10 '25 08:09 JoernMueller

no detection here, virustotal 0/98

FaffeF avatar Sep 10 '25 18:09 FaffeF

@FaffeF Many thanks for your investigation. I would have been indeed quite astonished if this would have been a true positive.

MS defines Wacapew.C!ml (not A) as scripts "modifying system files, connecting to remote servers, downloading additional components, or self-renaming", basically things many installers (including some of MS itself) are usually doing.

JoernMueller avatar Sep 11 '25 11:09 JoernMueller

Not in any way sure that it's what Defender is picking up, but lnav does have some of that functionality. Like ssh connections and loading extra formats from git repos.

One man's tool, another man's "potentially unwanted application".

FaffeF avatar Sep 11 '25 18:09 FaffeF