A new release (v1.11.57) has shipped. Submit it to Microsoft for false-positive review so the new hash plus our publisher reputation continue to accrue.
One-click portal
https://www.microsoft.com/en-us/wdsi/filesubmission
Choose Submit a file for malware analysis → category Software developer → action This software should not be detected as malware.
File to upload
Termpolis.Setup.1.11.57.exe (104MB)
SHA256: 65f3a982aa9f33dcc9d2195a4ad558c580dfb882e59571487e7ed89622f8c59d
If you don't have a copy of the installer locally:
Invoke-WebRequest -Uri "https://github.com/codedev-david/termpolis/releases/download/v1.11.57/Termpolis.Setup.1.11.57.exe" -OutFile "Termpolis.Setup.1.11.57.exe"
Get-FileHash "Termpolis.Setup.1.11.57.exe" -Algorithm SHA256
Pre-filled form fields — paste verbatim
Detection name (substitute whatever Defender currently reports — rotates between Cinjo.O!cl, Wacatac.B!ml, Sabsik.FL.B!ml, etc.):
Engine + signature versions (run on a Defender-equipped Windows box and paste both):
Get-MpComputerStatus | Select-Object AntivirusSignatureVersion, AMEngineVersion
Software publisher / contact: David Engelhart — david.engelhart@msimga.com
Product: Termpolis (https://termpolis.com)
Submission category: Software developer
Justification (paste verbatim into the "Additional Information" box):
Termpolis is a code-signed multi-agent AI terminal application (https://github.com/codedev-david/termpolis) — an Electron app that orchestrates Claude Code, OpenAI Codex, Gemini CLI, and Qwen Code as user-launched subprocess terminals. Architecturally equivalent to Warp, Cursor, and the Claude Code CLI — same AI-provider→shell flow that the well-known peer ecosystem uses. The signed Termpolis.exe legitimately receives text from AI provider APIs (api.anthropic.com, api.openai.com, etc.) and executes shell commands the user has approved through the UI; this is the standard AI-terminal workflow, not a remote-attacker channel.
The installer (Termpolis.Setup.1.11.57.exe, SHA256 65f3a982aa9f33dcc9d2195a4ad558c580dfb882e59571487e7ed89622f8c59d) is signed with our SSL.com OV code-signing certificate (CN=David Engelhart, thumbprint 43025637A49BD023DED20645127D834D697D060B). Get-AuthenticodeSignature reports Valid before Defender quarantines it.
Defender's cloud-ML classifier has flagged Termpolis.exe (and our shortcut targets) as Trojan:Win32/Cinjo.O!cl ("This program is dangerous and executes commands from an attacker"). The !cl suffix indicates a runtime classifier judgement, not a signature match. The Cinjo family signature appears triggered by the legitimate AI-agent network→shell flow that every AI terminal exhibits. The binary has no obfuscation, packing, or unusual entry-point logic — it's a standard electron-builder NSIS package. We have no persistence beyond the user-approved NSIS shortcut creation, no auto-elevation, and no telemetry that runs without explicit opt-in (verifiable in src/main/sentry.ts in the public repo).
Reproduction:
- Download from https://github.com/codedev-david/termpolis/releases/tag/v1.11.57
- Run on a freshly-updated Windows 11 box with Defender enabled
- Within ~60 seconds of install, Defender quarantines
%LOCALAPPDATA%\Programs\Termpolis\Termpolis.exe and all shortcuts
Happy to provide the public build pipeline (.github/workflows/release.yml), the v1.11.56 hardening commit (b10c830), or any other artifacts on request.
After submission
- Microsoft typically replies within 24–72 hours via
wdsisupport@microsoft.com
- A confirmed FP triggers a cloud-definitions update that propagates to all Defender installs within hours
- Close this issue once you've received their reply
Why per-release?
Defender's cloud-ML scores per-binary hash. Each new build starts from zero reputation until our publisher (the SSL.com OV cert) accumulates enough benign-tagged builds. After ~3–5 successful submissions, future builds typically inherit publisher reputation and stop getting flagged in the first place — at which point this workflow can be retired.
A new release (v1.11.57) has shipped. Submit it to Microsoft for false-positive review so the new hash plus our publisher reputation continue to accrue.
One-click portal
https://www.microsoft.com/en-us/wdsi/filesubmission
Choose Submit a file for malware analysis → category Software developer → action This software should not be detected as malware.
File to upload
Termpolis.Setup.1.11.57.exe(104MB)SHA256:
65f3a982aa9f33dcc9d2195a4ad558c580dfb882e59571487e7ed89622f8c59dIf you don't have a copy of the installer locally:
Pre-filled form fields — paste verbatim
Detection name (substitute whatever Defender currently reports — rotates between
Cinjo.O!cl,Wacatac.B!ml,Sabsik.FL.B!ml, etc.):Engine + signature versions (run on a Defender-equipped Windows box and paste both):
Software publisher / contact: David Engelhart — david.engelhart@msimga.com
Product: Termpolis (https://termpolis.com)
Submission category: Software developer
Justification (paste verbatim into the "Additional Information" box):
After submission
wdsisupport@microsoft.comWhy per-release?
Defender's cloud-ML scores per-binary hash. Each new build starts from zero reputation until our publisher (the SSL.com OV cert) accumulates enough benign-tagged builds. After ~3–5 successful submissions, future builds typically inherit publisher reputation and stop getting flagged in the first place — at which point this workflow can be retired.