Pycharm gateway plugin - remote-dev-worker-windows-amd64.exe is being flagged as malicious by EDR tools 关注
We are seeing that the Pycharm gateway plugin - remote-dev-worker-windows-amd64.exe is being flagged as malicious by EDR tools
Path - `PyCharm.app/Contents/plugins/gateway-plugin/lib/remote-dev-workers/remote-dev-worker-windows-amd64.exe`
SentinelOne flagged it due to the following indicators:
- This binary contains abnormal section names which could be an indication that it was created with non-standard development tools
- This binary imports debugger functions
Per the VirusTotal report for the binary https://www.virustotal.com/gui/file/ce84d71b8d0c4d275ab0c1e91a8eb1dd0ff467eb1c441d5d8752e707db9d1484/community it looks like UPX compression is used which is unusual and suspicious.
Also attaching a malware sandbox report - https://www.hybrid-analysis.com/sample/ce84d71b8d0c4d275ab0c1e91a8eb1dd0ff467eb1c441d5d8752e707db9d1484/640a490492a177e74704b8c4 which lists several suspicious behaviours including the use of UPX compression.
Please confirm if this is expected
Hello and thank you for your report.
Our security team, along with the developers involved, have reviewed the source code and found no malicious indicators.
We can also confirm that we use UPX to compress the binary, and it's expected.
Technical Support Engineer