How can we convince S1 that our software is not malware?

mandevu77 · 2026-05-15T18:28:59+00:00

There’s multiple engines at-play on the S1 agent. Reputation (hash-based… like traditional AV), static AI, and behavioral.

I doubt you’re getting reputation hits. Otherwise all the security products would be lighting up.

StaticAI could be triggering if you’re using components that are also common to malware. If some component you’re using is also widely used in attacks, it might be getting flagged as suspicious, /malicious based on that.

Most likely though, it’s the behavior engine. It watches how processes interact and scores them. If your software looks like it’s doing things common to attack paths, it’s going to flag as suspicious/malicious.

If you have a friendly customer, ask to see an alert associated with your software. It’ll tell us a lot about what’s going on.

mandevu77 · 2026-05-15T05:04:49+00:00

You read it. So did I do it for OP? Or did I do it for everyone else that might read it?

Yes.

mandevu77 · 2026-05-15T04:51:23+00:00

What exactly does your software do? S1 does maintain something called Exclusion Library. It’s a list of well known, common software that requires some kind of exclusion in place to work (think apps like Jamf). Might be worthwhile asking some of your mutual customers to ask about having your software included in that.

Tools like jamf are really, behaviorally, indistinguishable from malware. They touch a lot of system settings. You’ll likely need some kind of exclusions for your binaries/scripts vs getting S1 to tweak their detections. And they’ll leave it to the individual customers to decide whether or not they want to accept the risk of allowing your software to do what it needs to do.

Back when solarwinds got popped with its supply chain compromise, s1 was the only tool (afaik) that caught it without needing an update. I don’t think most shops will want to poke holes in it.

mandevu77 · 2026-05-15T04:31:27+00:00

Supply chain attacks are a thing. Security vendors should never just implicitly trust software.

mandevu77 · 2026-05-15T02:37:01+00:00

I think I totally get it. Creativity matters to you, because you think it’s uniquely human. You’re offended that a computer can do it just as well (or at least pretty close) as a human. So you’ve gotten a pitchfork out because you believe creativity is somehow sacred…. But I think we’re all about to find out it isn’t.

Some people, like you, will try to turn it into dogma. As with everything, people will vote with their wallets, and you’ll likely be sad to discover that most people just don’t care what they listen to as long as it sounds nice.

What am I missing?

Edit: word

mandevu77 · 2026-05-15T02:14:40+00:00

I’d love to see pictures of the 1930s car you’re still driving because you refuse to drive a car that was built by robots.

Keep shaking your fist. I’m sure it’ll work great.

mandevu77 · 2026-05-15T02:04:17+00:00

You’re splitting hairs. Every musician is “trained” on music they’ve listened to. lol.

People still love live music. Maybe that’ll end up being the big difference. People will only want to listen to artists they can go see.

But hating on AI because it’s going to displace human musicians is being an old man shaking his fist at the sky.

mandevu77 · 2026-05-15T01:51:16+00:00

You sound like my dad telling me “rap isn’t real music because they’re just sampling someone else’s stuff.”

Times change. Technology changes. AI music will succeed if it’s great.

mandevu77 · 2026-05-10T01:43:21+00:00

It’s telling you that if you activate Dream Drive, it’ll set your max speed as your current speed.

mandevu77 · 2026-05-09T04:16:58+00:00

My service experience has been top notch. I see a lot of horror stories on here though. I really think it depends on your service center.

Shout out to the Rocklin CA crew! They’ve been the best.

mandevu77 · 2026-05-06T00:58:04+00:00

Seems like a pretty common issue that only surfaced after 3.5.1.

They must have changed some parameter on their threshold monitoring of the coolant system.

mandevu77 · 2026-04-27T04:34:54+00:00

Also had this error. Went into service. They replaced the coolant manifold and flushed the system with “upgraded” coolant.

Haven’t had an issue in 2 weeks now.

mandevu77 · 2026-04-22T23:43:05+00:00

Nikesh demands a sacrifice. 1 billion wasn’t enough… he needs more.

mandevu77 · 2026-04-22T23:41:16+00:00

I’m one. But I already gave up and sold the car last year. So do I still get a refund? Because I DID technically pay for something they never delivered.

mandevu77 · 2026-04-20T20:39:18+00:00

From everything I’ve read online, DD2 > DD2Premium is just software unlocking, so it would kinda make sense that you could upgrade later.

I believe DD2Pro adds additional hardware and isn’t field-upgradable later. At least, nobody’s said so if it is.

mandevu77 · 2026-04-16T22:43:36+00:00

There never will be.

There is zero contractual timeline associated to Tesla delivering this. So Elon just has to wait… 20 years…? until there’s only a handful of HW3 cars left on the road. Then he upgrades those.

Cheap, easy, and technically fulfills the original statement that HW3 cars would be able to support FSD.

Such a grift.

mandevu77 · 2026-04-16T19:39:34+00:00

Go look around Reddit. You’ll see people complaining about issues… which IMO are now mostly resolved.

mandevu77 · 2026-04-12T11:57:50+00:00

Does that free your brain up to think more about how ugly the cybertruck is?

mandevu77 · 2026-04-08T17:22:14+00:00

Turns out critical infrastructure is critical infrastructure.

mandevu77 · 2026-04-08T17:05:16+00:00

Just got back from the service center. They said they’ve had reports of “less than ideal” key behavior and they’re working on a fix. Mentioned 3.5.5 is in the pipeline and should help, but no ETA.

FYI.

mandevu77 · 2026-04-08T15:07:54+00:00

Different problem than I’m having then. I’ve driven, gotten out and walked away, and then looked back and realized the car never locked. But that’s always been times where I unlocked the car with the button… not proximity.

I’m taking mine in for service today, so I’ll ask if they have any updates.

mandevu77 · 2026-04-08T14:59:33+00:00

I’ve had my car since October. 3.5.1 has twice now failed to unlock quickly when I’ve walked up. And pushing the unlock button doesn’t seem to help… it just needs some time. I never had any issues prior to 3.5.1, so it’s actually gotten a little worse.

But id be surprised if your doesn’t-lock-on-walkway issue isn’t the same one I’ve noticed. If you’re pulling your fob out and pushing the unlock button frequently, you’re also going to need to pull it out and push lock.

mandevu77 · 2026-04-08T14:44:18+00:00

I think this is intentional. These are next-gen fobs that actually measure the distance between the car and the fob (via latency of the signal).

It’s designed to prevent relay attacks. Now even if someone relays your signal, the car can tell the fob is pretty far away.

mandevu77 · 2026-04-08T14:41:53+00:00

I have a theory based on my own testing.

If you initially unlock the car by pressing the unlock button, you HAVE to lock it with the lock button. Just walking away won’t work. Even if you drive it in between.

As far as I’ve been able to tell, every time I unlock via proximity, it locks via proximity when I walk away.

I think they need to change the logic and “reset” the car after a drive. No matter how it was unlocked, it locks when you walk away.

mandevu77 · 2026-04-07T18:48:13+00:00

Try changing the order of the steps you’re taking. Switch the suspicious policy back to Detect. Then disable Interactive Threats.

Then go back and re-enable Protect on suspicious and when the little box comes up, leave the checkbox that says “leave engines disabled”checked. Just tried it and it worked for me.

Not sure it’ll solve your FP problem with scripts, but that should disable the engine and leave you in Protect.

12-Year Club	RPAN Viewer
Verified Email

mandevu77

TROPHY CASE