False positive (Termius)

[Permanently]

Earlier I was on Termius running a few SFTP sessions, when I tried launching a remote file in Notepad++. Upon attempting this, Termius shut off in a way that made me think it had crashed. Tried a few more times, with no success.

I'm just about to get some shut eye for work tomorrow, when I see a Raccine popup linking to the Termius window I had open 5 hours prior. Turns out, Termius launches Notepad++, along with any other specified program, in the stupidest way I think I've ever seen. I don't blame Raccine for the false positive, I blame Termius for the ludicrous method they have chosen to launch programs.

Detection:

21/08/2022 18:33:09
Raccine detected malicious activity:
C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell -NoProfile -NonInteractive –ExecutionPolicy Bypass -EncodedCommand UwB0AGEAcgB0ACAAIgBgACIAUwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4AbwB0AGUAcABhAGQAKwArAFwAbgBvAHQAZQBwAGEAZAArACsALgBlAHgAZQBgACIAIgAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIAAiAGAAIgBDADoAXABVAHMAZQByAHMAXAB0AGgAZQBiAGkAXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwAC0AMgAzADgAMQA2AC0AcABRADIAUABTAFQAMwA5AGgAQQBiAHMAXABpAG4AZABlAHgALgBoAHQAbQBsAGAAIgAiAA== 

You can find the full detection log here.

After decoding the Base64 string, it was quickly found that it wasn't malicious at all.

In other news, is this something that can be added as an exception in the repo? Or, would I need to exempt Termius from Raccine rules manually?

[migmam]

The proposed code:
$fp1a = "ParentName=\"Termius.exe\"" $fp1b = "ParentExecutablePath=\"C:\\Program Files\\WindowsApps\\"
doesn't work as raccine is only analyzing the childCommandLine therefore is not able to extract the ParentName.

Raccine code:
bool YaraRuleRunner::run_yara_rules_on_file(const std::filesystem::path& target_file,
const std::wstring& command_line,
std::wstring& out_yara_output,
std::wstring& yara_cmd_optional_defines)