[Bug] Symantec Endpoint Protection detects virus Heur.AdvML.D in latest shims

[xxthunder]

Bug Report

Current Behavior

Scoop is currently not usable at my company due to (maybe) false positives of Symantec Endpoint Security. Newly created shims are detected as virus. So no apps can be installed/updated.

Expected Behavior

Shims shall work on PC's with Simantec Endpoint Protection.

Additional context/output

Possible Solution

System details

Windows version: 10

OS architecture: 64bit

PowerShell version: default 5.1

Additional software: Symantec Endpoint Protection

[spider2048]

Were you using the develop branch?
Which packages did you try to install?

[xxthunder]

Yes, I am using the develop branch. It actually does not matter, what app I am installing. If scoop install or scoop reset creates a shim, the shim executable is detected as virus. A colleague of mine already sent an exemplary executable to Symantec, I am curios what they say. I created this issue in case somebody else is having the same problem.

[spider2048]

I had a similar detection (Heur.AdvML.D) when I installed packages which themselves had false positives in them.
But in no VT report Symantec identifies the shim(s) as a virus (which would not be a perfect argument). But, I would still want to know the specific application you are trying to install/reset and also want to have the actual shim binary which is causing problems.

[r15ch13]

This is related to #5559 which modifies shims subsystem. The modified shim is reported as a false positive.

[spider2048]

I would like to say that antiviruses generally flag most GUI subsystem binaries as false positives. Even the compiled GUI shims would be flagged too. The modification of the subsystem was necessary because we have 3 different shim types (71, kiennq, scoopcs) with kiennq being the default.

You can look at the VT reports of various shim binaries:

1. scoopcs Compiled with target:winexe
2. scoopcs Compiled with target exe - Original shim
3. scoopcs Patched shim
4. Kiennq Patched shim
5. Kiennq - Original shim

Now, no VT report had Symantec Endpoint Protection flagging the shim as malware. Or, I don't even see the family Heur.AdvML.D in any of the lists.

I would also like to point out that, there isn't much difference between the compiled and the patched shims. For instance, using radiff2 (from radare2) gives me:

% radiff2 .\shim-patched.exe .\shim-gui.exe # differ by 20 bytes 
0x00000088 485dabb6 => 825c948c 0x00000088 # difference in timestamp
0x000012f8 efb84aaa45fe8e49b7b7ad065d37aef5 => 44f7cdf184e8b2438e14e7cf656214f2 0x000012f8 # some hash

If #5559 was only the issue, the console shims should work fine, shouldn't they?
But we have this:

Newly created shims are detected as virus. So no apps can be installed/updated.

I think we are missing some detail in the issue.
And to make the VT detections to 0, we may need to restructure shim.cs (I'm not so sure).

[xxthunder]

Hi, sorry for my late reply. I installed 7zip, totalcommander and sysinternals. All GUI shims were put into quarantine by our company's SEP installation. A colleague from IT sent an examplary GUI shim together with some information about how they are created to Broadcom. They confirmed the false positive and whitelisted the signature of the current GUI shim. After updating the virus definitions via life update the problem was gone for me and all my colleagues.