Thank you for your comments!

In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS_Store' within the zip, consistent folder/file names, etc.

This is the first time we have released tools to the public for free. We will continue to develop, improve, and grow our processes as these opportunities are identified. We truly appreciate the feedback and suggestions and will continue to take them into account with every release.

GitHub Repo: https://github.com/RookLabs/mi...
Blog Post: https://www.rooksecurity.com/w...

Depending on the directory you choose will drive the amount of time the tool will take to execute. Using the Deep Scan, which I recommend, Milano is creating MD5 hashes of every file on your system and comparing against our list of bad files. The process of hashing each file will take quite a few cycles. I think your recommendation of running during downtime is best.

I completely understand executing caution when opening or using new files, especially when they're an executable, from a not so known company, and AV software is recommending you do so. Below are the VirusTotal results for both the Package1_1.zip and HT_Malware_Observations.pdf. The PDF contained within the zip is what is causing the AV to trigger. We believe this is due to string detection. The PDF contains file names like dropper.dll, _d9jaoFG.fXR, etc. It's very likely the AV is searching for these types of files/libraries being packaged within a malicious payload.

Scan results:
Package1_1.zip
VT Results: https://www.virustotal.com/en/...

HT_Malware_Observations.pdf
Under the File detail tab and Contained files the PDF is flagged by 2 vendors.
VT results for the PDF https://www.virustotal.com/en/...

• 1. This PDF document has 8 pages, please note that most malicious PDFs have only one page.
• 2. This PDF document has 74 object start declarations and 74 object end declarations.
• 3. This PDF document has 29 stream object start declarations and 20 stream object end declarations.
• 4. This PDF document has a cross reference table (xref).
• 5. This PDF document has a pointer to the cross reference table (startxref).
• 6. This PDF document has a trailer dictionary containing entries allowing the cross reference table, and thus the file objects, to be read.

Absolutely, I have a prepared a blog post (excerpt pasted below) touching on this issue, and others, directly. As JJ said, we are releasing the source code on GitHub. Our developers are working to ensure our README is fully up-to-date.

"In order to ensure full transparency and growth to the Milano tool we are releasing the source code on GitHub (link below). Our intentions are to give people a way to protect themselves. The executable was created with the lowest technical user in mind and now we want to make sure we are completely transparent with how our tool operates. In lieu of executing the binary the .py script on GitHub can be leveraged. We have learned a lot during our releases to include, leaving '.DS_Store' within the zip, consistent folder/file names, etc.

This is the first time we have released tools to the public for free. We will continue to develop, improve, and grow our processes as these opportunities are identified. We truly appreciate the feedback and suggestions and will continue to take them into account with every release."

Exactly why we also provided the IOC formatted files. We wanted to make sure everyone could consume this information regardless of security teams tools. We are releasing the Python script used to create the executable. We will be sure a link is posted as soon as it's up on our site.