CLI v1.0 triggers windows defender for Worm:Win32/Yuner.A

[baywet]

Describe the bug

A couple of days ago I upgraded my CLI to v1.0 using winget winget install --id GitHub.cli -e.
For reference, here is the manifest it installed.

After digging around, I found that windows defender had quarantined gh.exe because it detected it contained Yuner.A

OS: windows 10 2004 (19041.508)
Rules updates (for defender): 1.323.1687.0

As a workaround I added the CLI as an exclusion for the time being.

Steps to reproduce the behavior

1. install GH CLI on a similar OS configuration
2. reboot
3. gh.exe will be quarantined

Expected vs actual behavior

The CLI not to trigger the antivirus.

Logs

Using PowerShell 7 to call gh, I obtained the following error response.

ResourceUnavailable: Program 'gh.exe' failed to run: Operation did not complete successfully because the file contains a virus or potentially unwanted software.At line:1 char:1

Using cmd to call GitHub I obtained the following response.

The system cannot access the following resource.

[rnystrom]

Thanks for this report. We contacted Microsoft to figure out why Windows Defender is incorrectly identifying the gh as Worm:Win32/Yuner.A. Sorry for any confusion. We will report back ASAP!

[craig-jennings]

When clicking on the download link on the Releases page, I get a similar result:

[jessehouwing]

@martinwoodward

[mislav]

Thank you for reporting! We've also had the experience with hub.exe (another GitHub API client written in Go) being erroneously flagged as malware as well

These are all false positives, but it looks like something about Go binaries triggers these malware detection heuristics, since these are entirely different codebases and the only thing in common with them is that they are cross-compiled with Go.

[martinwoodward]

The Microsoft Windows Defender team have indicated that they have cleared the false detection. Windows Defender updates will usually come down automatically. However if you want to manualy update then the Microsoft team advised that you do the following to clear cached detection and obtain the latest malware definitions from them.

1. Open command prompt as administrator and change directory to c:\Program Files\Windows Defender
2. Run MpCmdRun.exe -removedefinitions -dynamicsignatures
3. Run MpCmdRun.exe -SignatureUpdate

Alternatively, the latest definition is available for download here: https://www.microsoft.com/en-us/wdsi/definitions

Thanks for letting us know about this one. Sorry for the inconvienience.

[baywet]

thanks @martinwoodward this seems to do the trick for me.
@rnystrom do you want me to close the issue or leave it open for visibility?

[mislav]

@baywet Let's please leave this open for visibility for a couple of days. 🙇

[jessehouwing]

Does it make sense to close, but pin it? That should make it visible, but also highlight the problem has been solved.

[Meiryo7743]

I experienced a similar problem. In spite of having tried to the solution, gh.exe was automatically deleted again by Windows Defender. The problem doesn't seem to have been solved ...

As a side note, gh_1.0.0_windows_386.zip is regarded as a virus when downloaded on Microsoft Edge or inspected by the Defender. Here are the screenshots:

Expand

Version of the malware definitions

---

[vilmibm]

Closing since no new reports have come in.

@Meiryo7743 are you still having problems?