I noticed my Ubuntu 20.04 in WSL couldn’t use jq all of a sudden.
I would pipe something to jq and get
-bash: /usr/bin/jq: cannot execute binary file: Exec format error (23) Failed writing body
Noticed Windows Defender had flagged jq as Trojan:Win32/Casdet!rfn
I checked that this jq came from the official Ubuntu repo. I spun up a new Ubuntu 20.04 machine on a VPS and installed jq there. Compared checksums. It is a match.
Reported to Microsoft. They agreed it may be a false positive and said that tomorrow’s definitions update will fix it.
Update came. All good. Next day jq is being deleted / quarantined again. What the heck ?!
It is now being reported as Trojan:Linux/CoinMiner.N!MTB
I resubmit to Microsoft explaining the provenance of the binary and why I think it is a false positive. To my surprise they now say
We have determined that the files meet our criteria for detection. At this time detection will remain in place.
So Microsoft are now implying that Ubuntu distribute malware or that their repo has been breached. What nonsense!
Any ideas how we can end this craziness ?
Edit: Seems the issue is on GitHub.
Anyone having the same issue who finds this thread: My workaround was to download the statically linked binary from GitHub and replacing /usr/bin/jq with it. Alternatively one could put the WSL filesystem into Windows Defender exclusion list but I chose the former.