Windows Defender false-positive against Termination-Checker.vbs

[putty182]

Bumped into this after booting up my rig today; Trojan:Script/Cloxer.A!cl

Clearly a false positive, logging it as a GH issue in case anyone else sees it and panics.

Category: Trojan

Description: This program is dangerous and executes commands from an attacker.

Recommended action: Remove this software immediately.

Items: 
containerfile:C:\cloudRIG\Termination-Checker.vbs
file:C:\cloudRIG\Termination-Checker.vbs->(UTF-16LE)
file:C:\Windows\System32\Tasks\CloudRIGTerminationChecker
process:pid:6924,ProcessStart:131813976001945618
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0D0A5740-1631-48F7-BA56-8870BBAFA866}
regkey:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\CloudRIGTerminationChecker
taskscheduler:C:\Windows\System32\Tasks\CloudRIGTerminationChecker

Get more information about this item online.

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[williamparry]

Great pick up - thanks :)

Any ideas how to get around it?

[williamparry]

This looks promising: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus

[AetherCollective]

You could always use my False Positive Reporter tool to request whitelisting from AV Vendors.
https://github.com/BetaLeaf/False-Positive-Reporter