ghost
commented
5 months ago Is this something to worry about?
Closed syberphunk closed 5 months ago
ghost
commented
5 months ago Is this something to worry about?
Bill-Stewart
commented
5 months ago It's definitely a false-positive.
The "hybrid-analysis" scanner has some silly flags in it. For example, if you scroll down the list of "Files extracted during detonation" (wow, sounds so aggressive!), you will see that UninsIS.dll is "malicious." This is silly; it's not malicious--it's a DLL I wrote for Inno Setup:
https://github.com/Bill-Stewart/UninsIS/
If you have an "ear" with the vendor, please report it as a false-positive. I have tried to do so, but so far my requests have been (as far as I can tell) ignored.
The "Crowdstrike" platform claims 100% accuracy with no false-positives. This claim is absurd and easily proved false, as demonstrated here.
syberphunk
commented
5 months ago If you have an "ear" with the vendor, please report it as a false-positive.
I do not.
It'd be good to see an alternative to using an installer that flags even false positives, such as a 'portable' version.
When software gets flagged up like this, it means similar tools often flag it up, and if you're working in an enterprise environment where they deploy such tools and they find it, you tend to get a call from your cyber security team. It's also unnerving when you're trying to recommend the software.
Bill-Stewart
commented
5 months ago Believe me, I understand this issue very well. You should have seen how many silly false-positives this package was generating when I was using PowerShell and WMI scripting in this package to do entirely legitimate things. There are far fewer false-positives now.
No anti-malware developer can assure users they experience a zero false-positive rate. This is simply an irresponsible claim in my view.
In terms of a "portable" version: You can download the standalone syncthing.exe executable and run it, if desired. (The whole point of developing this installer was to make things easier for non-technical users.)
ghost
commented
5 months ago I have just recently installed it on my work PC. Hoping they dont flag my system because of this.
Bill-Stewart
commented
5 months ago I have just recently installed it on my work PC. Hoping they dont flag my system because of this.
At a minimum, I would recommend disabling relaying, as network security teams might misunderstand the use of shared IPs and interpret outbound connections as being something they don't want. As I note in the section on Command Line Parameters:
For more information about relays, please see the Syncthing documentation page about relaying. Please note that relaying might trigger network security alerts if an outgoing connection is made to a relay network host on the Internet that is being shared by a network service prohibited by network security teams on business or government networks. It is recommended to check with network security teams before using Syncthing on these kinds of networks.
Bill-Stewart
commented
5 months ago Closing. Malware scanner false positives are an ongoing issue and will likely continue to be so.
syberphunk
commented
4 months ago @Bill-Stewart It appears that you can report this as a 'false positive' if you go to https://www.hybrid-analysis.com/sample/ccdb410bbffe6c3f560366f7e0df131c24994394ae83ac4ce53a8ed76bcc8c83 and click on the Sandbox report, is this something that you have done? I ask particularly about this option as it's not clear what methods you've tried to approach them with.
Bill-Stewart
commented
4 months ago If you look at that report, you will note that CrowdStrike's engine reports the 1.27.5 installer as clean, and the false positive is from MetaDefender, which is getting hits from the "Bkav Pro" engine. This antimalware engine seems to be notorious for false-positives.
https://www.hybrid-analysis.com/sample/ccdb410bbffe6c3f560366f7e0df131c24994394ae83ac4ce53a8ed76bcc8c83
https://www.virustotal.com/gui/file/ccdb410bbffe6c3f560366f7e0df131c24994394ae83ac4ce53a8ed76bcc8c83