CrowdStrike Falcon False Positives
For the past several months the CrowdStrike Falcon endpoint protection platform has been flagging builds of our WebCopy and Sitemap Creator products as malicious.
A few weeks after this originally started I contacted their support to try and get a solution. Each time, they would check the builds, state they were clean and whitelist that one build. Of course, as soon as our CI server pushed out a new build, they automatically flagged it as malicious again.
It has now been several months and their support doesn't answer
emails or provide any reason why they keep flagging the software
as malicious. As we are quite certain these are false positives
(firstly, every build is sent to VirusTotal for analysis by
multiple engines, second, each time we originally contacted them
with one of the file hashes they investigated and reported
clean) we have decided to add CrowdStrike detections
Win/malicious_confidence_80% (D)
and
Win/malicious_confidence_90% (D)
to an ignore list. Therefore,
if one of these is the only detection, the build will be made
available for download.
Of course, there are no guarantees and so you should still be cautious when downloading files from the internet.
Leave a Comment
While we appreciate comments from our users, please follow our posting guidelines. Have you tried the Cyotek Forums for support from Cyotek and the community?
Comments
Piotr Farbiszewski
#
They are doing this because they are ultimately responsible for their customer's security, and from this point of view the default stance should be 'trust no one'. Are you using third party libraries which you do not vet for security yourself, as part of your CI builds?
Richard Moss
#
Hello,
Thanks for taking the time to comment. Yes of course there should be security, but if every AV vendor blocked all the things, then that is just as big a problem. I'm used to AV vendors occasionally flagging the software as malicious - the good ones, I fill in a false positive report and thus far they've always come back clean and the issues go away. Some of the lesser ones either don't have a false positive submission or you get no response and then I have to wait, again so far these issues have naturally resolved.
CrowdStrike is the only one that flags everything as malicious and have been doing so for a year now. Maybe they operate under a different model, I don't know. All I know is it quite frustrating.
As far as 3rd party libraries go, I'm usually quite cautious with what I use. Whilst I don't vet every single line, I don't grab random packages willy nilly either. This isn't a node situation where you have literally hundreds of packages and sub packages and scant idea of what is what. As an example, WebCopy uses 4 3rd party libraries for wheels I either don't have the knowledge to reinvent (e.g. brotli compression), or the time (e.g. PDF parsing, language detection).
Regards; Richard Moss