Windows 10 20.04 build 19041.450Security Intelligence Version 1.321.1943.0Detected /usr/bin/jq from Ubuntu 20.04 as Trojan:Win32/Casdet!rfn.
I reported this to the Defender team via a false positive Submission. They resolved this and said it would be fixed.
Along came definitions update 1.321.2133.0 which now detects jq as Trojan:Linux/CoinMiner.N!MTB.
Why do I believe this is a false positive detection?
The binary came from the official, signed Ubuntu repository. It has been in circulation for many months in its current version. No security breaches of the official Ubuntu repository are currently known.
I verified the checksum of the detected binary and compared it to the jq binary on fresh installs of Ubuntu 20.04 that are set up to download from the official Ubuntu repository as well. The checksums match.
sha256sum /usr/bin/jqbcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd
Now I can see that a bunch of other engines are also detecting jq.
I re-reported to Microsoft against Security Intelligence Version 1.321.2133.0 and this time they insist that it is malware, not a false positive and that they won't do anything about it!
Analyst comments: We have determined that the files meet our criteria for detection. At this time detection will remain in place.
What can we do about this?