MS Defender keeps glaffing Joplin SQLLite as RemoteShell

Hi Team,

The last 3 versions of Joplin have been crashing or doing an infinite sync.
I believe its due to MS Defender blocking/quarantining 'C:\Users\user.config\joplin-desktop\database.sqlite-journal'

Threat Detected: Backdoor:PHP/Remoteshell.F

Could this be due to the content kept in the journals? I play a lot of CTFs which require exploits etc. Hence why I encrypt Joplin as well.

Has been working fine with these payloads for 6+ months, now on the latest versions its blocking the SQLite DB itself.

Anyone else having this?

  • Installed Version: 1.67
  • Tested against previous two versions for Windows
  • OS: Win10 1909

If there are malware samples in your database you need to exclude the path in MS Defender settings, as the data won't be crypted locally.

Cheers for the response Laurent. Makes sense, I was under the impression that it was encrypted locally so thats good to know as these remote shells are old/gameified so will always be flagged.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.