MS Defender blocks 'Serious threat' when running log4jscanwin

[hitem]

Hello,
Your tool is triggering AV's. I tried looking through your code but could not find anything suspicious at a glance, therefor this submit.
What it finds is the following:

It says: Serious threat, blocked and removed.

Hope it helps.

[romw]

Was it triggered from one of the binaries we supplied? Or did you build it yourself?

[hitem]

From your binary. It runs for about 25 seconds "Scanning c:" and then it comes up.
Edit: i also tried running it on a secondary system and same trigger there. Three times in a row (incase it was something else!).

[bushy555]

Useless side note that may or may not help:
Running the scanning tool on an old XP computer (works great even on old XP !).
Avast with current signatures (20 Dec) does not detect it being a threat.

[Olivier-CracK]

Quick feedback : I had no problem in running the program on win 10 with SentinelOne av.

[johnmccash]

I had no problems running this (1.2.17) yesterday on Win10 with Defender for Endpoints

[hitem]

Thanks for the tests guys. I went ahead and went a little deeper today.
However, its still detected by Microsoft Defender.

Tried running w and w/o administrator rights - tried disabling each feature of defender and the only time it was undetected is if i turn defender completely off....

[romw]

I suspect the ransomware behavior detection component of Windows 11 noticed the sequential traversal of the file system as something to block. It appears our code-signing certificate isn't enough to overcome the suspicion of Windows Defenders scoring system on Windows 11.

That is rather annoying.

[gsmith89]

I am getting a similar message from Defender when running on Windows 11. It is saying the program is putting a file in the temp folder of AppData.

[pjheslop]

Symantec Endpoint Protection also blocks the tool: