ExplorerPatcher/.github/workflows/issue-check.yml

name: Duplicate malware/virus flags issues handler

on:
  issues:
    types: [opened]

jobs:
  check_keywords:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Check for keywords in issue title and body
        id: check_keywords
        run: |
          # Define the list of keywords
          keywords=("Virus" "Malware" "trojan" "Windows Defender" "Antivirus" "bitdefender" "defender" "kaspersky" "unwanted" "harmful" "HackTool:Win64/ExplorerPatcher!MTB" "HackTool:Win64/Patcher!MSR" "HackTool" "Backdoor" "detection" "Norton" "Windows Security" "Win64:MalwareX-gen" "Microsoft Defender" "infected" "Potentially unwanted app found" "potentially unwanted software" "VIRUSTOTAL")
          
          # Get the issue title and body from the event context
          ISSUE_TITLE="${{ github.event.issue.title }}"
          
          # Convert both title and body to lowercase for case-insensitive comparison
          ISSUE_TITLE_LOWER=$(echo "$ISSUE_TITLE" | tr '[:upper:]' '[:lower:]')
          
          # Check if any of the keywords are present in the title or body
          for keyword in "${keywords[@]}"; do
            # Convert the keyword to lowercase as well
            KEYWORD_LOWER=$(echo "$keyword" | tr '[:upper:]' '[:lower:]')

            if [[ "$ISSUE_TITLE_LOWER" == *"$KEYWORD_LOWER"* ]] || [[ "$ISSUE_BODY_LOWER" == *"$KEYWORD_LOWER"* ]]; then
              echo "'$keyword' found"
              echo "contains_keyword=true" >> $GITHUB_ENV
              break
            fi
          done

      - name: Comment, label, and close issue if keyword found
        if: env.contains_keyword == 'true'  # Only run if a keyword was found
        run: |
          ISSUE_NUMBER="${{ github.event.issue.number }}"
          REPO="${{ github.repository }}"
          
          # Define the body of the comment with Markdown formatting
          COMMENT_BODY="> [!CAUTION]
          ><ins>**Microsoft and other major antivirus vendors have flagged ExplorerPatcher as \"malware\".**</ins> This is likely due to Microsoft's hatred against ExplorerPatcher, not because it contains a virus or such. Flags from Microsoft usually spread to other antivirus vendors.

          Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:

          \`\`\`
          C:\Program Files\ExplorerPatcher
          %APPDATA%\ExplorerPatcher
          C:\Windows\dxgi.dll
          C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy
          C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy
          \`\`\`

          For Defender, you can run the following script in PowerShell as an administrator:

          \`\`\`
          Add-MpPreference -ExclusionPath \"C:\Program Files\ExplorerPatcher\"
          Add-MpPreference -ExclusionPath \"\$env:APPDATA\ExplorerPatcher\"
          Add-MpPreference -ExclusionPath \"C:\Windows\dxgi.dll\"
          Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\"
          Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\"
          \`\`\`
          
          ### **Failure to exclude ExplorerPatcher's files may result in inability to install/uninstall ExplorerPatcher and explorer.exe being unable to start.**

          If you do not trust this process, please refrain from using ExplorerPatcher and look for alternatives instead.

          Microsoft, if you are reading this, please reconsider the detections as [there are a lot of users who trust this program and that risks from future EP developers are a thing.](https://www.youtube.com/watch?v=R50myh-AAe0)

          This issue was closed automatically. You want to discuss this in https://github.com/valinet/ExplorerPatcher/issues/3670."

          # Escape the Markdown content for proper JSON formatting
          COMMENT_BODY_ESCAPED=$(printf "%s" "$COMMENT_BODY" | jq -Rs .)

          # Post a comment on the issue with formatted text
          curl -X POST \
            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -d "{\"body\": $COMMENT_BODY_ESCAPED}" \
            "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/comments"

          # Add the "duplicate" label to the issue
          curl -X POST \
            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -d '{"labels":["duplicate"]}' \
            "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/labels"

          # Close the issue
          curl -X PATCH \
            -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -d '{"state": "closed"}' \
            "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER"
Improve the Issues tab by adding forms and auto-comment/close malware related issues (#4046) 2024-12-17 03:31:27 +01:00			`name: Duplicate malware/virus flags issues handler`

			`on:`
			`issues:`
			`types: [opened]`

			`jobs:`
			`check_keywords:`
CI: Update OS images, Do not persist credentials, Checkout v4 (#4071) * Update OS images, Do not persist credentials, Checkout v4. * Do not persist credentials in issue-check. 2024-12-27 22:20:23 +01:00			`runs-on: ubuntu-22.04`
Improve the Issues tab by adding forms and auto-comment/close malware related issues (#4046) 2024-12-17 03:31:27 +01:00			`steps:`
			`- name: Checkout repository`
CI: Update OS images, Do not persist credentials, Checkout v4 (#4071) * Update OS images, Do not persist credentials, Checkout v4. * Do not persist credentials in issue-check. 2024-12-27 22:20:23 +01:00			`uses: actions/checkout@v4`
			`with:`
			`persist-credentials: false`
Improve the Issues tab by adding forms and auto-comment/close malware related issues (#4046) 2024-12-17 03:31:27 +01:00
			`- name: Check for keywords in issue title and body`
			`id: check_keywords`
			`run: \|`
			`# Define the list of keywords`
			`keywords=("Virus" "Malware" "trojan" "Windows Defender" "Antivirus" "bitdefender" "defender" "kaspersky" "unwanted" "harmful" "HackTool:Win64/ExplorerPatcher!MTB" "HackTool:Win64/Patcher!MSR" "HackTool" "Backdoor" "detection" "Norton" "Windows Security" "Win64:MalwareX-gen" "Microsoft Defender" "infected" "Potentially unwanted app found" "potentially unwanted software" "VIRUSTOTAL")`

			`# Get the issue title and body from the event context`
			`ISSUE_TITLE="${{ github.event.issue.title }}"`

			`# Convert both title and body to lowercase for case-insensitive comparison`
			`ISSUE_TITLE_LOWER=$(echo "$ISSUE_TITLE" \| tr '[:upper:]' '[:lower:]')`

			`# Check if any of the keywords are present in the title or body`
			`for keyword in "${keywords[@]}"; do`
			`# Convert the keyword to lowercase as well`
			`KEYWORD_LOWER=$(echo "$keyword" \| tr '[:upper:]' '[:lower:]')`

			`if [[ "$ISSUE_TITLE_LOWER" == "$KEYWORD_LOWER" ]] \|\| [[ "$ISSUE_BODY_LOWER" == "$KEYWORD_LOWER" ]]; then`
			`echo "'$keyword' found"`
			`echo "contains_keyword=true" >> $GITHUB_ENV`
			`break`
			`fi`
			`done`

			`- name: Comment, label, and close issue if keyword found`
			`if: env.contains_keyword == 'true' # Only run if a keyword was found`
			`run: \|`
			`ISSUE_NUMBER="${{ github.event.issue.number }}"`
			`REPO="${{ github.repository }}"`

			`# Define the body of the comment with Markdown formatting`
			`COMMENT_BODY="> [!CAUTION]`
			`><ins>Microsoft and other major antivirus vendors have flagged ExplorerPatcher as \"malware\".</ins> This is likely due to Microsoft's hatred against ExplorerPatcher, not because it contains a virus or such. Flags from Microsoft usually spread to other antivirus vendors.`

			`Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections:`

			\`\`\`
			`C:\Program Files\ExplorerPatcher`
			`%APPDATA%\ExplorerPatcher`
			`C:\Windows\dxgi.dll`
			`C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy`
			`C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy`
			\`\`\`

			`For Defender, you can run the following script in PowerShell as an administrator:`

			\`\`\`
			`Add-MpPreference -ExclusionPath \"C:\Program Files\ExplorerPatcher\"`
			`Add-MpPreference -ExclusionPath \"\$env:APPDATA\ExplorerPatcher\"`
			`Add-MpPreference -ExclusionPath \"C:\Windows\dxgi.dll\"`
			`Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\"`
			`Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\"`
			\`\`\`

			`### Failure to exclude ExplorerPatcher's files may result in inability to install/uninstall ExplorerPatcher and explorer.exe being unable to start.`

			`If you do not trust this process, please refrain from using ExplorerPatcher and look for alternatives instead.`

			`Microsoft, if you are reading this, please reconsider the detections as [there are a lot of users who trust this program and that risks from future EP developers are a thing.](https://www.youtube.com/watch?v=R50myh-AAe0)`

			`This issue was closed automatically. You want to discuss this in https://github.com/valinet/ExplorerPatcher/issues/3670."`

			`# Escape the Markdown content for proper JSON formatting`
			`COMMENT_BODY_ESCAPED=$(printf "%s" "$COMMENT_BODY" \| jq -Rs .)`

			`# Post a comment on the issue with formatted text`
			`curl -X POST \`
			`-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \`
			`-d "{\"body\": $COMMENT_BODY_ESCAPED}" \`
			`"https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/comments"`

			`# Add the "duplicate" label to the issue`
			`curl -X POST \`
			`-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \`
			`-d '{"labels":["duplicate"]}' \`
			`"https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/labels"`

			`# Close the issue`
			`curl -X PATCH \`
			`-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \`
			`-d '{"state": "closed"}' \`
			`"https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER"`