The surrogate binary is currently extracted to current_exe().parent() and is unsigned. This creates two related concerns.
Problem 1: Extraction location
Extracting to the executable directory requires write permissions, which may not be available in all deployments (read-only container images, restricted Program Files installs). Alternative locations (%TEMP%, %LOCALAPPDATA%) each have tradeoffs — particularly AV products flagging "write exe to temp → execute" as a malware dropper pattern.
Problem 2: Authenticode signing
The surrogate binary is currently unsigned. Signing it would:
- Eliminate AV false positives regardless of extraction location
- Enable extraction to temp or other locations without AV interference
- Allow WDAC/AppLocker policies to trust it
Options for extraction location
| Location |
Write perms |
AV risk |
Notes |
| Exe dir (current) |
Needs write access |
Low |
Expected location for supporting binaries |
%LOCALAPPDATA%\hyperlight\ |
Always writable |
Medium |
Less suspicious than temp |
%TEMP% |
Always writable |
High |
AV red flag — top malware dropper pattern |
The surrogate binary is currently extracted to
current_exe().parent()and is unsigned. This creates two related concerns.Problem 1: Extraction location
Extracting to the executable directory requires write permissions, which may not be available in all deployments (read-only container images, restricted Program Files installs). Alternative locations (
%TEMP%,%LOCALAPPDATA%) each have tradeoffs — particularly AV products flagging "write exe to temp → execute" as a malware dropper pattern.Problem 2: Authenticode signing
The surrogate binary is currently unsigned. Signing it would:
Options for extraction location
%LOCALAPPDATA%\hyperlight\%TEMP%