Comments (17)
from screentogif.
I sent a message to the company, let's see if they give me a reply.
from screentogif.
Tip: When you install through the Microsoft Store it actually works just fine... π No idea what that says about CrowdStrike, but at least a workaround for those who want to use ScreenToGif π.
from screentogif.
Well just as long as your company does not block MS store, too π.
from screentogif.
Also, I did a test with the current version against my CS client and did not get blocked. I will remove the IOC exception and see if my users are impacted.
from screentogif.
+1
from screentogif.
+1
from screentogif.
I've had a few user experiencing this. Here are the details of the detection.
DETECT TIME
Dec. 17, 2023 12:48:24
HOSTNAME
computername
HOST TYPE
Workstation
USER NAME
place\user
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None
Associated File
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
GROUPING TAGS
None
LOCAL PROCESS ID
26000
COMMAND LINE
"C:\Program Files\ScreenToGif\ScreenToGif.exe"
FILE PATH
\Device\HarddiskVolume6\Program Files\ScreenToGif\ScreenToGif.exe
EXECUTABLE SHA256
ad17b9409ac2b46f54c5fbd220d48d091ca7a1b8d91c20f15b00b93c6f6ca69d
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Low
IOC MANAGEMENT ACTION
None
EXECUTABLE MD5
ce227688fe0d35e6b5381666dc1cd7db
RUN PERIOD
START TIME
Dec. 17, 2023 12:47:14
END TIME
Dec. 17, 2023 12:47:15
DURATION
Terminated
from screentogif.
Just had a trigger with the new version
Steps to reproduce detection:
- Download ScreenToGif Portable from link at screentogif.com
- Extract ScreenToGif.exe
- Run ScreenToGif.exe
Metadata from Crowdstrike Detection
ACTIONS TAKEN
Process blocked
File quarantined
SEVERITY
Low
OBJECTIVE
Falcon Detection Method
TACTIC & TECHNIQUE
Malware via PUP
TECHNIQUE ID
CST0013
SPECIFIC TO THIS DETECTION
This file is classified as Adware/PUP based on its SHA256 hash.
TRIGGERING INDICATOR
Associated IOC (SHA256 on library/DLL loaded)
fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
GLOBAL PREVALENCE
Common
LOCAL PREVALENCE
Unique
IOC MANAGEMENT ACTION
None
Associated File
\Device\HarddiskVolume3\Apps\ScreenToGif.exe
VirusTotal has no detections https://www.virustotal.com/gui/file/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6/detection
HybridAnalysis doesn't have a sample: https://www.hybrid-analysis.com/sample/fe13f363f2c5940eb7010eeee25763575b86d945fa7d70f54c2cce9c4c6f54c6
What we did
We created a group in Falcon for those who can run ScreenToGif and tagged the computers to allow an exception to *\ScreenToGif.exe
from screentogif.
Same thing here. Antivirus McAfee.
from screentogif.
I sent a message to the company, let's see if they give me a reply.
We have the same issue and have asked our CrowdStrike TAM to assist. Hoping that you receive some assistance back from the vendor. In case it's helpful we've raised support case # 01326126 on our end for misidentification as a PUP.
from screentogif.
@NickeManarin - I hope we are able to resolve this. I am impacted too.
from screentogif.
I would love for this issue to be resolved. The detection was heuristic. I am curious if this FP submission works with the AI engines or just a hash check. Do we know what was added to the code in mid December that triggered the alerts?
from screentogif.
I got this details from some other company, they got these results:
YARA signature "Bolonyokte" matched file "sample.bin" as "UnknownDotNet RAT - Bolonyokte" (Author: Jean-Philippe Teissier / @Jipe_) YARA
signature "MALWARE_Win_AgentTeslaV3" matched file "sample.bin" as "AgentTeslaV3 infostealer payload" (Author: ditekSHen)
and
"ScreenToGif.exe" wrote 00000FB8 bytes to a remote process "C:\Windows\System32\WindowsPowerShe l\v1.0\powershe l.exe" (Handle: 1728)
YARA Bolonyokte is a really generic rule-set as for example, it matches apps with "CaptureScreen" and "CaptureCursor" which of course this app would have. π
from screentogif.
mid December that triggered the alerts?
I can check, but the code base was mostly unchanged during the last 2 quarters of 2023.
from screentogif.
This should no longer be a problem, as the company removed the false-positive.
from screentogif.
@NickeManarin Nope its still flagging for me here as of May 5
Hash
aaa562c84f22ea0fc63d3fef74ee4c4fbb26d873c3b609555e2870008c01c98c
from screentogif.
Related Issues (20)
- [Bug] The coding progress rate exceeds 100% HOT 2
- Dashed line in the right and bottom will be record in the GIF. HOT 2
- [Bug] The export process with .webp doesn't go beyond 0.0%
- [Feature Request] please add guidance to tell the user how insert Date/Time in Name of file HOT 2
- [Feature Request] In the list of codecs, mark those that currently support hardware acceleration
- [Bug] Insert Screen Recording - Not Working (Frames not found) HOT 2
- [Feature Request] Apply "remove duplicates" only in the selected frames
- [Bug] Auto-updater does not appear to work, causing errors HOT 2
- [Feature Request] Highlight mouse buttons 4 and 5 HOT 4
- [Feature Request] Visual indicator for scrolling? HOT 1
- [Bug] Mouse button 5 appears to be displayed as mouse button 3 in recordings
- [Bug] Could not find file 'C:\WINDOWS\SysWOW64\gifski.dll'. HOT 4
- Hello, do you have the opportunity to add a feature in the future
- Program size increased 10~54X since version 2.19.3
- Can you please add some new features? HOT 1
- [Translation Feature Request] Don't use the same term for saving file and catpuring gif in the french version HOT 1
- Can't start the App, "the app is already running" and no system tray icon HOT 1
- [Feature Request] Double click should be represented with blue spot
- Chocolatey package is out of date + error when attempting to install update HOT 2
- [Bug] Custom Cursor Size Not Reflected in ScreenToGif Recording
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from screentogif.