astral-sh / rye

a Hassle-Free Python Experience
https://rye.astral.sh
MIT License
13.79k stars 468 forks source link

Windows Bearfoos virus associated with rye 0.15.2 #468

Open BruceEckel opened 1 year ago

BruceEckel commented 1 year ago

Steps to Reproduce

I did a rye self update just now and my Windows Defender (I'm on Windows 11) fired up and said it contained the "Bearfoos" virus and deleted rye.

I've removed all the rye artifacts and will reinstall it (and report results here) but wanted to capture the issue before doing so. @

Expected Result

Normal update

Actual Result

image

The "Learn more" link takes you here: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FBearfoos.A!ml&threatid=2147731250

Version Info

When I went to https://rye-up.com/ and tried to download "rye-x86_64-windows.exe for 64bit Intel Windows" I got a similar Windows defender response: image

Stacktrace

No response

BruceEckel commented 1 year ago

When I downloaded the install executable for 0.15.1 Windows defender found no issues, so it seems to be something in 0.15.2

BruceEckel commented 1 year ago

Successfully installed 0.15.1

mitsuhiko commented 1 year ago

Surprisingly this file does not trigger in Windows Defender for me. I submitted a false positive report to Windows Defender.

Submission case https://www.microsoft.com/en-us/wdsi/submission/2babfd93-15a5-42ff-8ce9-f78f18745daf

mitsuhiko commented 1 year ago

I uploaded the file and it came back as not malware:

image

Maybe Microsoft fixed it in the meantime?

BruceEckel commented 1 year ago

I'm not seeing any problems with it on my desktop machine (also Windows 11). I will recheck it on my laptop, which is where I saw the problem.

BruceEckel commented 1 year ago

Yes, there was a Windows Defender update and once I applied it on my laptop I could successfully install 0.15.2 without any virus warning. I think my desktop is set to automatically update and the laptop wasn't.

mitsuhiko commented 1 year ago

Thank you for validating!

BruceEckel commented 1 year ago

Of course. Thank YOU for this project. I know it's still experimental but it's become my default build tool for Python.

mitsuhiko commented 8 months ago

Seems to be happening every once in a while, so I'm going to reopen it. I will also add it to the FAQ for now until a solution has been found. Still no trojan in it :P

Muream commented 8 months ago

Just for reference, I am running into this except it gets picked up as the Wacatac Trojan

It happened with both rye self update going from 0.24.0 to 0.25.0 and downloading the installer from the website

mitsuhiko commented 8 months ago

Still taking suggestions for what can be done here :(

ported-pw commented 8 months ago

You are pretty much going to need to code signing to increase executable trust vs. Microsoft, but they recently got a lot more expensive because you are required to use FIPS-compliant hardware or similar to store the keys now.

yuanhao-li commented 7 months ago

You are pretty much going to need to code signing to increase executable trust vs. Microsoft, but they recently got a lot more expensive because you are required to use FIPS-compliant hardware or similar to store the keys now.

this could be an option.

Also in some Orga, there's a file reputation with Symantec. If the file reputation is low, rye is not usable. Maybe this info will help.

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Glossary/file-reputation-v32546090-d49e18645.html#:~:text=The%20file%20reputation%20indicates%20how,information%20about%20the%20file's%20characteristics.

mitsuhiko commented 7 months ago

Maybe this is something that astral can eventually address, but honestly from where I stand this is largely a problem that those companies (Microsoft, Broadcom etc.) need to deal with.

ported-pw commented 7 months ago

It's basically in the nature of the project to be picked up by behaviour/likeness to actual malware.
You have something that downloads and runs other code from elsewhere on the internet, which is essentially what a malware dropper/RAT does. So the only way is to keep submitting builds to Microsoft and other AV vendors as false positives and/or to start signing builds.