Reporting Ransomware issue with cmder/vendor/clink?

[joananespina]

Purpose of the issue

• Bug report (encountered problems/errors)
• Feature request (request for new functionality)
• Question

Version Information

Cmder Version 1.3.6.678
ConEmu version 180528 preview

Microsoft Windows 10 Home Build 17134

Description of the issue

Hello,

I'm not sure what to call this, but I think it is an issue. My antivirus(Bitdefender) spotted ransomware behavior at cmder/vendor/clink. I think its worth checking if its a false positive?

I attached a screenshot of the notice...

[daxgames]

What files did bitdefender claim were encrypted? This is probably a false positive.

[joananespina]

@daxgames the files that were affected are node_module files in one of my project's directory. I am not sure if it happened during an npm install or not.

If it did happen during an npm install, shouldn't Bitdefender have flagged node.js and not cmder/clink? I am not familiar with clink, but does it have any file locking behavior?

I also want to point out that this is a first for me, this prompt did not happen before.

[daxgames]

I am not an expert in what Clink does but I believe it injects itself into the console process. Virus and malware detection work by identifying behavior patterns. Since Clink injects itself into other processes, a common malware pattern, it could be falsely blamed for anything, even legitimate activity, that is executed in that console.

[joananespina]

Oh I see, I did think it would be hard to trace this with the very limited information. Anyway, I think there's no damage since the antivirus did restore the affected files. But I think this would cause some potential issues, like if the files should have been deleted but the AV restores it back.

Anyway just a heads up in-case something similar comes in. I'll close this issue since it looks like a false positive.

Thanks for the help!