Closed alvinckenba closed 2 years ago
My first impression is that this is a false positive. It's probably catching it because the Sidecar allows the Graylog server to update config files on the machine.
Related to #360
Related community post: https://community.graylog.org/t/sidecar-signed-windows-binary/21890
@boosty Can I assume that getting the binary signed is an important first step to getting the malware flagging issue fixed? That does sort of make sense, but I'm just making sure.
I installed signtool on a Windows VM, and it's definitely not signed.
We build this on Linux, though. This tool might be a good option for signing:
Hi @malcyon,
I don't have experience with this, but based on the following post, signing the file seems to be the fastest (not the only) way to let Microsoft trust it: https://stackoverflow.com/a/66582477
But I think a bit more research would be good. For a start, you could probably submit the file to Microsoft to see the current result: https://www.microsoft.com/en-us/wdsi/filesubmission
FWIW, VirusTotal does not report the current version as malicious: https://www.virustotal.com/gui/file/55693ad815021985d8ecc733e918e285dc892233035b6dcac9c11b480bf1af42/details
And while VirusTotal shows the missing signature, the impact on the detection is unclear to me:
@boosty I think for signing the binary, we need a Code Signing certificate:
https://www.globalsign.com/en/code-signing-certificate
I am not sure if we already have one.
FYI I submitted the installer to the Microsoft site for Defender, and it shows "No malware detected" for definition 1.355.1515.0.
@malcyon Cool! Then I think we should close this. We can reopen if someone still gets the warning on Windows.
And let's handle the code signing as a separate topic (as discussed).
Problem description
Detected:
PUA:Win32/Presenoker With Microsoft Defender
on downloaded windows binary: graylog_sidecar_installer_1.1.0-1.exe
Steps to reproduce the problem
Environment