Fixed (Heuristics): Whalebird start menu shortcut detected as malware

[IzNoGud78]

The file

C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Whalebird.lnk

is in fact detected as TangoDialer.

It's described as an Autostart file in the Dialer-001 category, having rule ID CE8E2812 and a rather high level of danger.

Whalebird is an Electron based Mastodon, Pleroma and Misskey client. It's multiplatform and open source (source code is available on the project's github page h3poteto/whalebird-desktop).

I don't understand why only the shortcut on the start menu is detected as malware, by the way I have tried to recreate the shortcut myself, but it is still detected. At the moment I've seen fit to ignore the item because in my opinion it may be a false positive.

 

[IzNoGud78]

I forgot to mention that there aren't options or additional commands on the shortcut destination string that would suggest malicious behavior.

The path specified is as follows and only invokes the executable file of the program

C:\Users\<Username>\AppData\Local\Programs\Whalebird\Whalebird.exe

 

[PepiMK]

Thanks for reporting this.

Rule CE8E2812 doesn't seem to match here on first look.

I applaud that you've hidden your username on a public post - does it by chance consist of an adjective and a noun, 8 letters in total?

Dialers are quite old rules, this is one of the very few that have a very basic testing of the linked file.

PS: received confirmation that this rule will be improved. One of our forensics is going to test the software anyway

 

[(m/f)]

The rules that caused this FP have just been updated and published. This issue should be solved, if not, let us know IzNoGud78. Thank you.