Burp Suite User Forum

Create new post

CO2 extension marked by antiviruses as malware

Martin | Last updated: Nov 03, 2023 06:28PM UTC

The CO2 extension is considered malware by more AV/EDR vendors. I could not find a reason behind it and our EDR vendor did not share their reasons either. Do you have a clue what is going on here? The page for the extension is https://portswigger.net/bappstore/c5071c7a7e004f72ae485e8a72911afc. The source code is at https://github.com/portswigger/co2 (I did not compile it myself to verify). The bundled file is marked as malware by many vendors: https://www.virustotal.com/gui/file/1ab1e466597ecff0602829b7a1c8f88aa1a56a0a0040c0df6e54d18366b4d2f5 (I suspect that because it is a penetration testing tool, some strings might be a trigger for detection, but it's not clear anyway, because the extension bundles a few other tools and almost none of them contains such strings (except sqlmap). The behavior should not be suspicious, except that it modifies the system when installing the other tools.)

Hannah, PortSwigger Agent | Last updated: Nov 06, 2023 10:19AM UTC

Hi Thanks for letting us know that this extension is getting flagged. As you mentioned, if an extension contains String payloads, it can get flagged in error. Typically, we'd recommend authors encode their payloads in some way to avoid getting flagged. We'll look into this to see if we can find what is triggering the antivirus. In the meantime, this extension may be removed from the BApp Store. If you are at all worried about this extension, we'd recommend reviewing their code and building it yourself to import into Burp. It looks like it's the actual JAR file that is getting flagged though, so it is likely that this would still get flagged up by vendors.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.