Potential threat in Windows Release Archive?

[JoernMueller]

lnav version
v0.13.1

Describe the bug
Just wanting to raise awareness that Windows Defender recognizes the archives content of lnav-0.13.1-windows-x86_64.zip as Script/Wacapew.A!ml
As I wouldn´t expect this project is trying to spread malware, you might want to check if there is some sort scripting or techniques included that could make it look potentially suspicious to the AV heuristics.

To Reproduce

• Download the archive on a Win11 x64 system where MS Defender is running.
• Try to open/unpack the archive.
• Observe Defender intercepting this operation

I did not check any other releases than 0.13.1.

[FaffeF]

no detection here, virustotal 0/98

[JoernMueller]

@FaffeF Many thanks for your investigation. I would have been indeed quite astonished if this would have been a true positive.

MS defines Wacapew.C!ml (not A) as scripts "modifying system files, connecting to remote servers, downloading additional components, or self-renaming", basically things many installers (including some of MS itself) are usually doing.

[FaffeF]

Not in any way sure that it's what Defender is picking up, but lnav does have some of that functionality. Like ssh connections and loading extra formats from git repos.

One man's tool, another man's "potentially unwanted application".