Pycharm gateway plugin - remote-dev-worker-windows-amd64.exe is being flagged as malicious by EDR tools
We are seeing that the Pycharm gateway plugin - remote-dev-worker-windows-amd64.exe is being flagged as malicious by EDR tools
Path - `PyCharm.app/Contents/plugins/gateway-plugin/lib/remote-dev-workers/remote-dev-worker-windows-amd64.exe`
SentinelOne flagged it due to the following indicators:
Abnormalities
- This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
General
- This binary imports debugger functions
Per the VirusTotal report for the binary https://www.virustotal.com/gui/file/ce84d71b8d0c4d275ab0c1e91a8eb1dd0ff467eb1c441d5d8752e707db9d1484/community it looks like UPX compression is used which is unusual and suspicious.
Also attaching a malware sandbox report - https://www.hybrid-analysis.com/sample/ce84d71b8d0c4d275ab0c1e91a8eb1dd0ff467eb1c441d5d8752e707db9d1484/640a490492a177e74704b8c4 which lists several suspicious behaviours including the use of UPX compression.
Please confirm if this is expected
请先登录再写评论。
Hello and thank you for your report.
Our security team, along with the developers involved, have reviewed the source code and found no malicious indicators.
We can also confirm that we use UPX to compress the binary, and it's expected.
Best regards,
Semyon Martynchik
Technical Support Engineer
Hello,
We are having the same issue with PyCharm being flagged as malicious and therefore we are not permitted to use the application. What is JetBrains doing to resolve this issue?
Hello,
Can you please provide the report details?
Hello!
I received this same notice from Sentinel One just today. This was the path, different because on a Mac machine ('darwin', instead of 'windows' as above):
'PhpStorm.app/Contents/plugins/gateway-plugin/lib/remote-dev-workers/remote-dev-worker-darwin-amd64'
Please note: I updated the Jetbrains Toolbox, and subsequently the Php Storm app using the Jetbrains Toolbox interface about three to four hours before receiving notification of potential malware from Sentinel One.
To be safe, I have uninstalled the folder starting `remote-dev-workers` from the path as well as uninstalling the JetBrains toolbox app from the affected device. I also uninstalled the Gateway app.
Potentially, the problematic file is flagged due to it's loading thru the Jetbrains Toolbox interface. I do not usually update this way: usually, I use the IDE application's update interface instead of the Jetbrains Toolbox interface. The report indicates it originated from 'jetbrains-toolbox'. Sentinel One has never flagged anything from Jetbrains for my setup, only this one.
__
Nick Buxton | SCG
__
Nick Buxton
Update: after two days, the detection was reclassified as benign. However, it would probably be worth the time to understand why these are being flagged as potential malware, especially with regards to using the JetBrains toolbox app.
__
NB
Hi Nick,
Thank you for letting us know. Our developers and security team have been notified.
AFAIK, UPX compression was only disabled for Windows builds. Therefore, it may still be present on other operating systems. We are working on a solution.
Update:
I have clarified the status of UPX compression for remote-dev workers. It has been disabled since 2023.2 for all platforms (Windows, MacOS, Linux).
If the issue reappears — please specify your exact IDE version and attach the report details.
Thanks in advance.