CrowdStrike Falcon False Positives

For the past several months the CrowdStrike Falcon endpoint protection platform has been flagging builds of our WebCopy and Sitemap Creator products as malicious.

A few weeks after this originally started I contacted their support to try and get a solution. Each time, they would check the builds, state they were clean and whitelist that one build. Of course, as soon as our CI server pushed out a new build, they automatically flagged it as malicious again.

It has now been several months and their support doesn't answer emails or provide any reason why they keep flagging the software as malicious. As we are quite certain these are false positives (firstly, every build is sent to VirusTotal for analysis by multiple engines, second, each time we originally contacted them with one of the file hashes they investigated and reported clean) we have decided to add CrowdStrike detections Win/malicious_confidence_80% (D) and Win/malicious_confidence_90% (D) to an ignore list. Therefore, if one of these is the only detection, the build will be made available for download.

Of course, there are no guarantees and so you should still be cautious when downloading files from the internet.


Like what you're reading? Perhaps you like to buy us a coffee?

Donate via Buy Me a Coffee

Donate via PayPal


Comments

We'll never share your email with anyone else Styling with Markdown is supported
# Piotr Farbiszewski

They are doing this because they are ultimately responsible for their customer's security, and from this point of view the default stance should be 'trust no one'. Are you using third party libraries which you do not vet for security yourself, as part of your CI builds?

Reply
# Richard Moss

Hello,

Thanks for taking the time to comment. Yes of course there should be security, but if every AV vendor blocked all the things, then that is just as big a problem. I'm used to AV vendors occasionally flagging the software as malicious - the good ones, I fill in a false positive report and thus far they've always come back clean and the issues go away. Some of the lesser ones either don't have a false positive submission or you get no response and then I have to wait, again so far these issues have naturally resolved.

CrowdStrike is the only one that flags everything as malicious and have been doing so for a year now. Maybe they operate under a different model, I don't know. All I know is it quite frustrating.

As far as 3rd party libraries go, I'm usually quite cautious with what I use. Whilst I don't vet every single line, I don't grab random packages willy nilly either. This isn't a node situation where you have literally hundreds of packages and sub packages and scant idea of what is what. As an example, WebCopy uses 4 3rd party libraries for wheels I either don't have the knowledge to reinvent (e.g. brotli compression), or the time (e.g. PDF parsing, language detection).

Regards; Richard Moss

Reply