[Security] False Positive: Newtonsoft.Json.dll detected as Malware by SentinelOne

[Twodragon0]

While syncing dependencies using GitDependencies.exe or initializing the MooaToon-Engine, SentinelOne (EDR) flagged and quarantined a specific DLL file. Although the file is digitally signed and verified, the security policy identifies it as a threat, preventing the engine from setting up correctly.

Environment

• Engine Version: MooaToon-Engine (Latest/Main branch)
• OS: Windows (detected via path)
• Security Software: SentinelOne
• Detection Type: Static Detection / User-Defined Blocklist

File Details

• File Name: Newtonsoft.Json.dll
• Path: ...\MooaToon-Engine\Engine\Binaries\ThirdParty\DotNet\8.0.412\linux-x64\sdk\8.0.412\Containers\tasks\net472\Newtonsoft.Json.dll
• SHA256: e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
• Publisher: JSON.NET (.NET FOUNDATION)
• Signature Status: Signed & Verified
• Originating Process: GitDependencies.exe

Incident Report Summary

• Classification: Malware
• AI Confidence Level: Malicious
• Action taken: Killed & Quarantined
• Detection Engine: Static / User-Defined Blocklist

Additional Context
The file appears to be a legitimate component of the .NET 8.0.412 SDK bundled within the engine's third-party binaries. However, SentinelOne's static analysis or specific blocklist rules are triggering a quarantine. This blocks the workflow for users in environments with strict EDR policies.

Suggested Solution

1. Please verify if the file with the above SHA256 hash is the intended version for this release.
2. Consider if the SDK path or the specific DLL version can be updated to avoid common EDR false positives.
3. Provide guidance for users to add exclusion rules for the engine directory.