name: Duplicate malware/virus flags issues handler on: issues: types: [opened] jobs: check_keywords: runs-on: ubuntu-22.04 steps: - name: Checkout repository uses: actions/checkout@v4 with: persist-credentials: false - name: Check for keywords in issue title and body id: check_keywords run: | # Define the list of keywords keywords=("Virus" "Malware" "trojan" "Windows Defender" "Antivirus" "bitdefender" "defender" "kaspersky" "unwanted" "harmful" "HackTool:Win64/ExplorerPatcher!MTB" "HackTool:Win64/Patcher!MSR" "HackTool" "Backdoor" "detection" "Norton" "Windows Security" "Win64:MalwareX-gen" "Microsoft Defender" "infected" "Potentially unwanted app found" "potentially unwanted software" "VIRUSTOTAL") # Get the issue title and body from the event context ISSUE_TITLE="${{ github.event.issue.title }}" # Convert both title and body to lowercase for case-insensitive comparison ISSUE_TITLE_LOWER=$(echo "$ISSUE_TITLE" | tr '[:upper:]' '[:lower:]') # Check if any of the keywords are present in the title or body for keyword in "${keywords[@]}"; do # Convert the keyword to lowercase as well KEYWORD_LOWER=$(echo "$keyword" | tr '[:upper:]' '[:lower:]') if [[ "$ISSUE_TITLE_LOWER" == *"$KEYWORD_LOWER"* ]] || [[ "$ISSUE_BODY_LOWER" == *"$KEYWORD_LOWER"* ]]; then echo "'$keyword' found" echo "contains_keyword=true" >> $GITHUB_ENV break fi done - name: Comment, label, and close issue if keyword found if: env.contains_keyword == 'true' # Only run if a keyword was found run: | ISSUE_NUMBER="${{ github.event.issue.number }}" REPO="${{ github.repository }}" # Define the body of the comment with Markdown formatting COMMENT_BODY="> [!CAUTION] >**Microsoft and other major antivirus vendors have flagged ExplorerPatcher as \"malware\".** This is likely due to Microsoft's hatred against ExplorerPatcher, not because it contains a virus or such. Flags from Microsoft usually spread to other antivirus vendors. Please include the following files and folders in your antivirus' exclusion list to prevent issues due to antivirus detections: \`\`\` C:\Program Files\ExplorerPatcher %APPDATA%\ExplorerPatcher C:\Windows\dxgi.dll C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy \`\`\` For Defender, you can run the following script in PowerShell as an administrator: \`\`\` Add-MpPreference -ExclusionPath \"C:\Program Files\ExplorerPatcher\" Add-MpPreference -ExclusionPath \"\$env:APPDATA\ExplorerPatcher\" Add-MpPreference -ExclusionPath \"C:\Windows\dxgi.dll\" Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\" Add-MpPreference -ExclusionPath \"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\" \`\`\` ### **Failure to exclude ExplorerPatcher's files may result in inability to install/uninstall ExplorerPatcher and explorer.exe being unable to start.** If you do not trust this process, please refrain from using ExplorerPatcher and look for alternatives instead. Microsoft, if you are reading this, please reconsider the detections as [there are a lot of users who trust this program and that risks from future EP developers are a thing.](https://www.youtube.com/watch?v=R50myh-AAe0) This issue was closed automatically. You want to discuss this in https://github.com/valinet/ExplorerPatcher/issues/3670." # Escape the Markdown content for proper JSON formatting COMMENT_BODY_ESCAPED=$(printf "%s" "$COMMENT_BODY" | jq -Rs .) # Post a comment on the issue with formatted text curl -X POST \ -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -d "{\"body\": $COMMENT_BODY_ESCAPED}" \ "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/comments" # Add the "duplicate" label to the issue curl -X POST \ -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -d '{"labels":["duplicate"]}' \ "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER/labels" # Close the issue curl -X PATCH \ -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -d '{"state": "closed"}' \ "https://api.github.com/repos/$REPO/issues/$ISSUE_NUMBER"