FrankvdStam / SoulSplitter

A livesplit plugin for souls-games
GNU General Public License v3.0
41 stars 8 forks source link

Antivirus detection #48

Closed kg closed 1 month ago

kg commented 3 months ago

Hi,

SoulSplitter 1.7.1 seems to be getting widely detected by antivirus software (https://www.virustotal.com/gui/file/8ab6c480ca7812a8059be76eb67ba93efae49367f6fa8c3cf534d908c493f51b/detection), specifically due to the soulmemory-rs dll that's embedded into SoulSplitter.dll. After digging around I feel like I understand why this is the case - by the nature of soulmemory-rs's huge feature set, it looks like a virus when it's packaged into a dropper like this.

I totally understand the convenience of reusing working code you already wrote, but it's very hard for anyone to try and verify what this dll does without a lot of time and knowledge so that it won't get flagged as malware, and it sucks if speedrunners have to turn off their virus scanner in order to get autosplit. Is there anything we can do to get the size of the soulmemory-rs dll down, or help replace it with something that doesn't contain things like the socket server, imgui, overlay hooks, etc? I imagine it would be nice for people to know that the autosplitter doesn't contain other hidden functionality (even though the functionality is obviously quite useful).

The stuff in the virustotal report is pretty spooky, and even after digging around in IDA I can't convince myself that the .dll bundled in 1.7.1 is unable to do anything malicious (even accidentally).

Thanks!

FrankvdStam commented 3 months ago

Thanks for your interest in this project, I am aware of the recent issues with virus scanners. In my own analysis I concluded that soulmods is likely the issue, not soulmemory-rs. Soulmemory-rs has been around for a long time, far before 1.7.0 and 1.7.1.

I think this problem first started occurring in 1.7.0, where a breaking change in the Elden Ring executable broke the MIGT fix (https://github.com/FrankvdStam/SoulSplitter/pull/40). Soulmods was around before this time already, only used in Armored Core 6. AC6 has a far smaller community then Elden Ring. I think the fact that this file and injection would occur on many more machines then previously with AC6 is what started to trigger the problem.

During all this time, soulmemory-rs has remained relatively stale. No major new features or different methods of injection have been added here.

Another reason might be the fact that soulmemory.rs has a launcher.exe, whereas soulmods.dll is injected directly by soulsplitter.

I do intend to see if this flagging can be reduced, but I worry that once your program and files are known to these companies, you will never stop flagging. 1.7.0 had some issues already, with 1.7.1 it seems to have become more widespread, even though it doesn't really do anything extra in terms of injections, that 1.7.0 didn't already do. I will not be buying a code signing certificate to sign the code with for an opensource, free, project, but I worry that it might be the only solution.

I also did work on soulmemory-rs to bring it to stable rust, which was the last remaining step to merge it's repository into the soulsplitter repository to build the dll's and .exe's from the soulsplitter solution itself (the same setup that is already being used for soulmods). While this doesn't guarantee that the binaries that I provide actually come from the source in this repository, it will make things more transparent and traceable. The way that livesplit has things set up, you will not be able to ever fully trust any autosplitter. Even an ASL file will be able to do malicious things on your PC, either directly, or through the game by writing memory, etc., so there is no be all end all solution to the security problem.

Changing the size of soulmemory-rs is not really something I'm willing to do at this point, I don't see it helping, but I would like to hear your suggestions and idea's, given all the information I just provided.

kg commented 3 months ago

I'll think some more about what kind of long term options you have, but when I tested specifically extracting the embedded resources from SoulSplitter.dll, Defender immediately nuked soulmemory-rs's x86 binary. The rest of them were fine, as were the embedded resources from 1.7.0. I wonder what could have changed to cause that...

FrankvdStam commented 3 months ago

I will try uploading the files in different configurations, with certains dll's not embedded, and see what it triggers on.

FrankvdStam commented 3 months ago

Soulmemory-rs 1.4 (very old version, nov 2022) https://github.com/FrankvdStam/soulmemory-rs/releases/tag/0.1.4

x86: https://www.virustotal.com/gui/file/2c68c1c0a3521217f2602ba48f78be40776a3b35b845ca2b666870207edb7f35?nocache=1 x64: https://www.virustotal.com/gui/file/66636c22348cd286a51dd9eab0f792c7a74dff49a958dbe6ca18a89f7af059be?nocache=1

Latest bundled version

x86: https://www.virustotal.com/gui/file/c4b1e2fc3f3e6a389feae24a3eedc139cd15beafbc35be110bbd20bb5900bbf3 x64: https://www.virustotal.com/gui/file/637f12087c2eb434e8a144e0f3862e2ced1d9a09b2550b48cde8e2870680c56a

Latest version built fresh from the repo

x86: https://www.virustotal.com/gui/file/a9a46b5c127f7b1b3f5eea01bf1b98d79439782785af17b5706baa83d262fcab?nocache=1 x64: https://www.virustotal.com/gui/file/436e0028856ee5900732503bc15cc796f63d62fe9851b1d188540eb15111dd56?nocache=1

Summary amount of detections per version and build arch:

x86 x64
0.1.4 1 12
bundled 38 32
Fresh 12 1

I'm willing to bet that after I deploy these fresh builds and people start using them, the amount of detections will go up more and more the longer they are out.

kg commented 3 months ago

In some cases once a file is 'known' and builds a good reputation (nobody reports it as a virus), the detection count will go down AFAIK. But I'm not sure if that would apply to this type of detection.

My best guess is that it's the combination of a dropper-style dll with other dlls/exes embedded in it, and the fact that soulmemory-rs imports stuff like sockets APIs, makes it look similar to command and control botnet stuff. Even though if you disassemble it in IDA there isn't any sign of that kind of functionality, heuristic AV scanners can't make that kind of determination easily.

There may be some sort of 'taint spreading' mechanism where once it sees 'SoulSplitter.dll looks like a virus, and it contains (these four files)' it automatically marks the four embedded files as malicious too, guilt by association.

My hope would be that if you were to distribute the dll/exe files separate from the SoulSplitter.dll, that might mitigate the problem. You could maybe put them in a zip file or just as bare files next to it and it might solve the problem.

FrankvdStam commented 3 months ago

Soulsplitter 1.7.1

Soulsplitter.dll: https://www.virustotal.com/gui/file/8ab6c480ca7812a8059be76eb67ba93efae49367f6fa8c3cf534d908c493f51b Soulmemory.dll: https://www.virustotal.com/gui/file/7e12e0e1d4d87595c2500ea1b3f1beca4abaeb744488363a215cdd4b4ec1b0b1

Fresh builds

Soulsplitter.dll: https://www.virustotal.com/gui/file/00a6adfc55a5abf6ce6271200cac4c5cdab9bda406cdf53076e1f6e6e049cca7?nocache=1 Soulmemory.dll: https://www.virustotal.com/gui/file/5ce4337e9102ef885c29d435117d4c4dcf85253af1b9f1f5d86d33b9da5a3a11?nocache=1

I think it's starting to become pretty clear that fresh builds that have not been publicly released don't flag half as much, and the main working of this is reputation based. I'm still not convinced that changing the setup of these embedded files has a real impact on this.

FrankvdStam commented 3 months ago

Also seeing 12 1 flip over to 1 12 for x86/x64 on and old build vs a new build makes it completely random.

FrankvdStam commented 3 months ago

Removed the embeds from soulsplitter.dll, fresh build: https://www.virustotal.com/gui/file-analysis/ZWMxMzk2MmQ5YmE3ZGFmMGVjZWVjNmU4OGUwNTNlOWM6MTcyMTkyOTgxMw==

Still has 4 hits.

kg commented 3 months ago

once you get below 10 you're in fairly safe territory, especially if the most popular ones like Defender and Norton aren't flagging it.

FrankvdStam commented 3 months ago

Going back to 1.7.1 and removing the embeds gives 4 hits: https://www.virustotal.com/gui/file/b24acb50134e718ea8f685d67baf781a58d72a8132d0359d6e5c34c8a7f19816?nocache=1

Going back to 1.7.1 and leaving the embeds in, but changing a single line of code randomly, to make it a new, unknown file gives 7 hits: https://www.virustotal.com/gui/file/9db79b37cdf9e59bd04eff5a62fe6e83e6c7ec9a80a20b6f8686115a75996483?nocache=1

1.7.1 public release gave 32 hits. The same file with 1 line of code changed gives 7 hits...

kg commented 3 months ago

That's frustrating, it sounds like the reputation thing is probably a big part of it. I'm not sure any of my suggestions actually help then. :(

FrankvdStam commented 3 months ago

It is very frustrating indeed, I understand that it's both annoying to add exclusions and to have this nagging feeling of security breaches. I'm thinking that the elden ring DLC brought many runners in, which is what really triggered this whole situation. Any suggestions or tests we could do are still welcome and I hope I at least gave you the feeling that I've done my due diligence in properly investigating a solution for the security part. You seem tech savy enough to clone the repo and build your own binaries.

You can clone soulmemory-rs and look at publish.bat to find how to build + where it dumps the binaries, you can copy those files over and overwrite them in the soulsplitter repo, so that every single binary was built from source on your own machine. Meanwhile I'll leave this issue open for the time being, any suggestions or ideas you might have are still welcome.

kg commented 3 months ago

Yeah, I decided to dig into this some because I saw a runner get stumped by Defender deleting SoulSplitter.dll and eventually turn off their antivirus entirely. I wanted to at least do a little due diligence to make sure you weren't hit by some sort of supply-chain issue, since those things happen more often these days - it's not realistic to tell every speedrunner to clone some git repositories and run cargo and msbuild from a terminal.

It was nice to see your commits being Verified on GH, btw! I'm glad you took that step.

I will try to figure out whether there are any steps you can take to reduce the odds of AV flagging your releases in the future. I already submitted SoulSplitter to MS to be reviewed to try and get their definitions updated so 1.7.1 won't be blocked by it anymore, but I don't know how quickly they get through that queue.

One small thing you could do in the future that would make it less scary would be to put a readme.md next to the raw dll files you're checking in, where the readme has a link to the soulmemory-rs git repo. Then anyone looking at the binaries checked in to the repo wondering "where did these come from?" can just click the link to find out. It took me a little while to realize they were just builds of another repository. If you already have build automation to reproduce the binaries that makes it easy for people to reproduce your builds, as long as they know where to look.

FrankvdStam commented 3 months ago

The raw dll's are kind of inexcusable, fully agree with you there. I will work on getting soulmemory-rs properly integrated soon.

As for this submitting to MS for review, how does this work? Is this something I could potentially do for each build?

kg commented 3 months ago

The raw dll's are kind of inexcusable, fully agree with you there. I will work on getting soulmemory-rs properly integrated soon.

As for this submitting to MS for review, how does this work? Is this something I could potentially do for each build?

Yes, for each release you could submit the key dlls/exes - I think in this case just soulmemory-rs is the key one since it contains sockets stuff, and maybe the managed dll that enumerates processes - to the portal here: https://www.microsoft.com/en-us/wdsi/filesubmission

I used the consumer submission path, but you can use the developer one. They give higher priority to people with support contracts, but they won't ignore your submission.

It's unfortunate that this is still kind of a hassle, but my understanding is that portal submissions do help.

FrankvdStam commented 3 months ago

I have to admit that I've seen this page and figured it would not do much for me. But willing to give it a try šŸ‘šŸ½

FrankvdStam commented 3 months ago

image

Not sure if I'm misinterpreting, but it looks to me like their cloud defender service is seeing a trojan, so not sure why the analyst would say there is no reproduction.

FrankvdStam commented 3 months ago

Soulsplitter 1.7.2 before releasing publicly

Soulsplitter.dll, 4 detections: https://www.virustotal.com/gui/file/e0a323c5ebcfbda71c0e7d6cbd5464e98063bf19c1429ad97a2e10fa4830449d?nocache=1 Soulmemory.dll, 2 detections: https://www.virustotal.com/gui/file/c95ef282a9480462c7b61e76dfd10f585ed32dc91415e1cb5bc21fdc3c2b6a5d?nocache=1

Binaries come from this action run: https://github.com/FrankvdStam/SoulSplitter/actions/runs/10133830385

FrankvdStam commented 3 months ago

image https://www.virustotal.com/gui/file/d77bf9bc282157e79c44736525e0417cf5b00ce406d2db86e1b0fbe19d5672b3/details

So its 5? days later, my own windows defender just false flagged soulsplitter.dll and the count has gone up from 4 to 7 hits. I will submit the files to microsoft.

@kg I've properly integrated soulmemory-rs into this repository, magic dll's are gone, except for the released binaries that livesplit requires for updates. These binaries now come from the artifacts in github actions. Github actions now publishes all the binaries in one convenient zip. I will report the current version to microsoft with the link you gave me. Other than that I'm not really sure what else can be done to fight this.

github-actions[bot] commented 2 months ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 month ago

This issue was closed because it has been inactive for 14 days since being marked as stale.