Hi, today I was creating links on our intranet to Epic topics and came across ‘The Epic Way’ again (nice stuff).
In the video I saw the UShell part and decided to take a better look by installing it.
During the install our Bitdefender antivirus reported the following:
“On-Access scanning has detected a threat. No configured actions could be taken, but access to the file has been denied. C:\Users\david.yerkess\AppData\Local\ushell\.working\tools\clink-1.0.0a5.work\$extract\clink-1.0.0a5.c8ecc0\clink_x86.dll is malware of type AI:Avkill.45841.7F701B4919”
Do you have any information regarding false positives or if there could be a real issue with files that the install downloads?
Clink is a sort of “shell on steroids” replacement shell, and as a result of all the system-level features it must support (such as thread injection), is likely to get flagged as a virus in some cases. The author, Martin Ridgers, works (or at least did at one point) at Epic. That being said, the project hasn’t made a release from his repo since August 2024 (which is the version that ushell downloads). I found that someone has forked the repo and is actively working on their fork of it, and there are Github issues periodically about it being flagged by such and such virus scanner. The author made a very long and helpful reply about the nature of the software and why it gets flagged by AV software that you can read here: https://github.com/chrisant996/clink/issues/583\#issuecomment\-2024868016
I went ahead and scanned clink_x86.dll with VirusTotal, and indeed it is flagged by 11 scanners, BitDefender being one. Interestingly enough, though, a scan of clink_x64.dll is only flagged by a single scanner.
It’s above my pay grade to offer security advice, so I’ll have to leave it up to you on how you feel about trusting your AV software about this, however.
This will be a false positive. There are two reasons I say this; the DLL that your AV vendor has flagged was built by me, and each dependency ushell acquires is checked against a SHA256 prior to use. I am also the original creator of Clink so I am confident what the DLL does.
Unfortunately, my hands are tied here. Clink is, as Graeme mentioned, used to augment the standard Windows command prompt with lots of ushell-specific tab completion, a nice prompt, command history, etc. It works by injecting itself in the cmd.exe and hooking a few Windows API calls, which sadly sometimes gets misclassified as malicious by AV vendors’ heuristical scanning. It’s something that’s cropped now and then every since I created Clink.
On the plus side, the x86 build of the DLL isn’t used (unless you’re somehow using a 32 bit version of Windows or end up in WOW64), so it would be okay to allow that to be quarantined.
I hope you can placate BitDefender (e.g. adding `.working/tools/` to an allow-list). Many have found ushell to be a useful addition to their workflow and I’d hope you’d find some value there too.