Reduce antivirus / SmartScreen false-positive surface

HASHES.txt

@@ -15,14 +15,17 @@ da10d733a8628d518a9931693761f02645eb63d8278d08d9df7f8c1d7e53108f *scanner/consol
 39a2ad0f9e0335c821fc65d6f365c13305fc9da5a6b1115c5bfc48fdd97407b4 *scanner/console-rig-audit.ps1
 0b680b000ecc2b500bbde276aadac5a850a8dcbc11c8990f52a96e21a11b22a1 *scanner/console-run-check.bat
 065ef704012b8c3f410916e702165dc1fd197d586d852fc8473af735273b0d0b *scanner/console-setup-checklist.html
-f023d3250bd536023ac13d86476bd30ad7b058d519e70d893a1df988ab204889 *scanner/forensic-common.ps1
+eae7ddba680a1791472ef554dfe64a4be0158da3c94e6df22bdc8f569dca9738 *scanner/forensic-common.ps1
 605d6daec37ba3f170c9f703634e78567271f2762e9812626f7c9a897eb52d7f *scanner/forensic-scan.ps1
-671c81e911af316569e92ce162cfee0bb5efaff9c8096942c9b7c102aa809f40 *scanner/generate-visual-companion-console.ps1
-659db814bc9ee87bda9506fa613780bc8e6da3a487866e040d46c8bac59fd957 *scanner/generate-visual-companion.ps1
+d751ba1df46dad9379f88a4aa92cefbf580cf31ec0bc4e554964c7afb43ffc0b *scanner/generate-visual-companion-console.ps1
+afbffe792aa48d6f5a560c23f335ee6426e12c2548fb42579c70ae6c0f47d8e6 *scanner/generate-visual-companion.ps1
 c8facb1b05abed76952cc329cc06db3fd11e34f75c68057bad69c966f2ac45ae *scanner/one-page-guide.html
 4eb22872d1f12906902ecada273417e120180716d42cede4dffcb48162375fe7 *scanner/run-check.bat
 7772e751a53e65606655a8883777613c74ceed2a7e3d29892dfdc3c6b8a5b815 *scanner/top-bin-explainer-offline.html
 bea5014e7990755b1876742bea7c579529cf2633dfae0facecfb09149c743302 *scanner/top-bin-explainer.html
+f53a26a907bef93be8a721d255819bd2edd03afcc3bb761e42b2c9697d829244 *scanner/visual-companion-common.ps1
+f3e79c3acd09342608c7d37e78d04cad7577edf4bdae7d7bfc9e5908872c707a *scanner/visual_scripts.js
+7af488a7bce339a492b149cc724eb33abbc35d97ca9dd18cd650ec6aede58e68 *scanner/visual_styles.css
 
 # --- python/src/alibi/ — Python parity port ---
 1c57cb4a841030054b9b8300e34df3e9ab573b221efa3a0d981ca92d723cc448 *python/src/alibi/__init__.py
@@ -35,15 +38,13 @@ a3dd1cbe57328f88786b644d3a2f9b7bce8fd7bc0a0e7b9a2cf5e4285f58116f *python/src/ali
 ac1b06f133c635435dc933adf66094c0788d0cb93e59c355a984b44ba7ab562d *python/src/alibi/recency.py
 1ddde68d31bfe85bcf2a975978cc4a1789e103f93039fa8d6cdf33755c3b98f3 *python/src/alibi/reg.py
 b87dbf5c0382643b4a8cdeb68865ca2c253a858244f54514960a482489a54145 *python/src/alibi/reports.py
-fbd30e9eb59528398619fee519292bf81c6b2b7f867d2d2301b6e295207cc27c *python/src/alibi/scanners.py
+1ed8b536cbc37bb5ca5d713cb77f7a068b909730c0751b762119580ad82bca94 *python/src/alibi/scanners.py
 a13e61f66e80d05984b505442afd1a17f7a45d578cffc94c9d4b9a05ca76b85c *python/src/alibi/snapshots.py
-af892863f0c936218ffd7690e0dcf2017a60a4ddc083551c06be84f9633e2f44 *python/src/alibi/utils.py
-04e76640a682683beb4dae5ec81b855adc2c76e3c1b386984f1f0bab34be59d2 *python/src/alibi/visual_companion.py
-f3e79c3acd09342608c7d37e78d04cad7577edf4bdae7d7bfc9e5908872c707a *python/src/alibi/visual_scripts.js
-8bc13ff80f42ca99462203ccf28cf2453d880f1d635ad9d0fb64f6cfc3704e9b *python/src/alibi/visual_styles.css
+576c2e27ba4e70c3eedad6020d48d1d5a45dcd14fbdfb54b3212ba01bcf0dd93 *python/src/alibi/utils.py
+ee99a784feae23033ca496247ec772e1332bfdb36d0b31e2d6bf390e26f3c9f2 *python/src/alibi/visual_companion.py
 
 # --- repo-root attestation files ---
-b278d8249a12ac4ae8d73f82b4782a0c37203b3b214da1258e01e8fc834b1b8c *README.md
-8cc93207410fb81ed6b7bdcf6ffb2c0cec7aed1469fd276bf7a1252b781f8aa3 *SECURITY.md
+bf0cf7f07367a8062ab175cb789d69d7c30665628c621c8a4702a796dd9c7f1a *README.md
+e5e8b9a6d947a103c669abf6646a1840d234c9188c8ee77ac2912105d464eb3c *SECURITY.md
 08cc5d577a2e8eafc5887c65b712c90746df4f47e4dfa8dec48af4d8436b06d6 *LICENSE
 71f3f4179a8337ef32bc8bc6feddf63afeda3d2a03ab3a2eda97ac205e1f3e6f *docs/for-reviewers.md

README.md

@@ -26,7 +26,6 @@ Author: **Bread** — Activision ID `Bread#3266221`, GitHub [@Sutaigne](https://
 ├── scanner/                  ← the .ps1 scanner files (the engine)
 ├── python/                   ← Python parity port (alternative implementation)
 ├── docs/                     ← reviewer guide, dev history, design source
-├── archive/                  ← old builds, kept for provenance
 ├── README.md / SECURITY.md / HASHES.txt / LICENSE
 ```
 
@@ -51,6 +50,25 @@ alibi-rig
 
 Python 3.10+ required. Pure stdlib (except an opt-in `urllib` call to [loldrivers.io](https://www.loldrivers.io) for BYOVD detection).
 
+## If the download is blocked as a virus
+
+`alibi` is an anti-cheat *scanner*, so by design it ships the very patterns antivirus hunts for: a plaintext list of cheat-brand names (`aimbot`, `wallhack`, `pcileech`, …) and the literal attack-command strings it looks for on a suspect machine (e.g. `iex (new-object net.webclient`). SmartScreen and some AV engines score those bytes — on a brand-new, unsigned, low-download-count file — as "suspicious," even though every file is plain, readable source. **This is a known false positive, not a real infection.** You can confirm that yourself: every shipped file's SHA256 is in [`HASHES.txt`](./HASHES.txt), and uploading the ZIP to [VirusTotal](https://www.virustotal.com) shows it clean across ~70 engines.
+
+Two separate things you may hit, and the fix for each:
+
+**1. "Virus detected" — the browser refuses to download.** This is SmartScreen reputation, not a confirmed threat. In Edge/Chrome: open the browser's **Downloads** list → the blocked item → **Keep** (Edge: ⋯ → *Keep* → *Keep anyway*). Then verify against `HASHES.txt`.
+
+**2. "Access to the compressed (zipped) folder is denied" when extracting.** This is the *Mark of the Web* — Windows tags every internet download, and the built-in extractor then refuses. It is unrelated to any virus, and affects clean downloads too. Remove the tag in one line:
+
+```powershell
+Unblock-File .\alibi-main.zip       # strip the internet tag
+Expand-Archive .\alibi-main.zip     # now extracts cleanly
+```
+
+Or: right-click the ZIP → **Properties** → tick **Unblock** → **OK**, then extract. (7-Zip ignores the tag entirely.)
+
+The full explanation — why a defensive tool trips antivirus, how to report the false positive to Microsoft, and what we do (and deliberately don't do) to reduce it — is in [`SECURITY.md`](./SECURITY.md#antivirus--smartscreen-false-positives).
+
 ## What it detects
 
 - **22 scanners** across Prefetch, BAM, MUICache, USB history, ShimCache, services, drivers, downloads, recent files, AppData, user-folder script content, lua scripts, obscured filenames, process modules, DLL injection event timeline, network attack tools, AI-vision aimbot constellation, known hashes, DMA build artifacts, application data dirs.
@@ -84,7 +102,7 @@ The `_visual.html` files are fully self-contained (inline CSS + JS, no external
 This kit's whole value is being readable by a reviewer who has no reason to trust the author. Therefore:
 
 - All source is plain `.ps1` / `.py` / `.css` / `.js` / `.html`. Nothing is minified, compiled, or obfuscated.
-- No binaries are shipped (the historical zips in `archive/` are PowerShell source).
+- No binaries are shipped, and no opaque archives — version history lives in git, not in committed ZIPs.
 - No external dependencies at runtime beyond Python 3.10+ stdlib (Python port) or the PowerShell that ships with Windows.
 - No telemetry, no analytics, no tracking.
 - Exactly one outbound network call (LOLDrivers BYOVD cross-reference) exists, prompts the user with Y/N before running, skipped by default with `-SkipLOLDrivers` / `--skip-loldrivers`, and is explicitly disclosed in every report.

SECURITY.md

@@ -39,14 +39,47 @@ This routes the report directly to the maintainers and gives you a private chann
 
 **Acceptable also:** open a public issue if and only if the report does not include active-evasion specifics (e.g. "PowerShell-encoded payload format that slips past `$ScriptContent_HighRisk`") that would help cheaters more than it would help defenders. When in doubt, use private reporting.
 
+## Antivirus / SmartScreen false positives
+
+A forensic anti-cheat scanner is, byte-for-byte, hard to tell apart from the things it hunts. `alibi` deliberately contains:
+
+- a plaintext database of cheat-brand, spoofer, and DMA-hardware names (`keywords.py`, `forensic-common.ps1`);
+- the literal high-risk command strings it scans a suspect machine for — e.g. `powershell -encodedcommand`, `iex (new-object net.webclient`, driver-signing-bypass flags (`forensic-common.ps1`);
+- `.bat` launchers that self-elevate (`-Verb RunAs`) and run unsigned PowerShell (`-ExecutionPolicy Bypass`), because a downloaded, unsigned script won't run otherwise.
+
+Signature and heuristic engines — and especially **SmartScreen reputation**, which blocks *new, unsigned, rarely-downloaded* files regardless of content — score those exactly as they'd score the real thing. The result is a false positive at download or extract time.
+
+The detection you're most likely to see is **`Trojan:Script/Wacatac.B!ml`** on the GitHub ZIP download. The `!ml` suffix means it's a cloud machine-learning verdict, not a confirmed signature — `Wacatac.B!ml` is a well-known generic ML false positive that fires on many legitimate scripts and tools. An offline Defender signature scan of the same files returns clean, which is the tell. This false positive has been reported to Microsoft for reclassification.
+
+None of it is an infection, and you can prove that:
+
+- **Hashes.** Every shipped file's SHA256 is in [`HASHES.txt`](./HASHES.txt). Compare what you received against it.
+- **VirusTotal.** Upload the ZIP to [virustotal.com](https://www.virustotal.com) for a ~70-engine second opinion.
+- **The source.** Everything is plain text. The "suspicious" strings are detection signatures, sitting in readable arrays you can audit line by line.
+
+### For people downloading the kit
+
+- **Browser says "Virus detected" / blocks the download.** Override it in the browser's Downloads list (Edge: ⋯ → *Keep* → *Keep anyway*; Chrome: *Keep*), then verify against `HASHES.txt`.
+- **"Access to the compressed (zipped) folder is denied" on extract.** That's the *Mark of the Web*, not a virus — Windows tags all internet downloads (see [Microsoft's Attachment Manager note](https://support.microsoft.com/en-us/topic/information-about-the-attachment-manager-in-microsoft-windows-c48a4dcd-8de5-2af5-ee9b-cd795ae42738)). Clear it with `Unblock-File .\alibi-main.zip` (or right-click the ZIP → Properties → **Unblock**), then extract. 7-Zip ignores the tag entirely.
+
+### What we do about it
+
+- **Report false positives to the vendor.** A confirmed false positive should be submitted to Microsoft at the [Defender Security Intelligence portal](https://www.microsoft.com/en-us/wdsi/filesubmission) (mark *"I believe this file is clean"* and note it's an open-source defensive forensic tool). A reclassification there clears the verdict for everyone. If you hit a block on another vendor's engine, tell us via private reporting and we'll submit it there too.
+- **Keep the trigger surface minimal.** We don't commit redundant ZIP archives or compiled blobs; the only thing in the repo is the readable source the tool needs to run.
+
+### What we deliberately don't do
+
+- **We don't obfuscate or encode the keyword database to dodge antivirus.** Runtime-decoded string blobs read as *more* malicious to heuristics, not less — and unreadable detection logic would break the kit's whole "read every line" trust model. The signatures stay in plaintext on purpose.
+- **We don't Authenticode-sign** (see [What we don't do](#what-we-dont-do)). Signing would raise download reputation, but it fights the same plain-source trust model. We trade that reputation cost for auditability and lean on hashes + VirusTotal + vendor submission instead.
+
 ## Disclosure timeline
 
 We aim for an initial response within 7 days of the report. Substantive fixes target the next minor release (typically within 2–4 weeks). Public disclosure happens after the fix ships, with credit to the reporter unless anonymity is requested.
 
 ## What we don't do
 
 - **We don't sign Authenticode certificates.** This is a plain-source kit; binary signing fights the "read every line" trust model.
-- **We don't ship a binary that can't be audited.** Every file in the kit is plain `.ps1` / `.py` / `.html` / `.css` / `.js` / `.txt`. The `archive/` zips are historical PowerShell source, not compiled.
+- **We don't ship a binary that can't be audited.** Every file in the kit is plain `.ps1` / `.py` / `.html` / `.css` / `.js` / `.txt` — no compiled binaries, and no opaque archives. Version history lives in git, not in committed ZIPs.
 - **We don't run a bug bounty.** This is an open community kit, not a commercial product. Credit and a `CHANGELOG.md` entry are what we have to offer.
 
 ## Authors