jonathan343
commented
1 month ago Hey @cfitzgerald-pd, thanks for reaching out. We’re aware of the increase in VirusTotal detections and actively reporting these as false positives to third-party vendors. If there are any updated, we'll provide them here. Thanks!
Describe the bug
We've recently gotten a deluge of malware alerts from VirusTotal and its scanners and even third parties (ReversingLabs) flagging certain versions of the AWS CLI as malware. Some file paths detected are:
Pulled the versions with recent detections - 2.17.63 and 2.18.0 directly from AWS and matched the SHA-1s.
2.18.0: (eb90309bf6a4bb23cc13892a6b058527560600c3)
2.17.63: (fb7db612844de3496d805e4d2ec34e4762f6677e)
3 scanners flag 2.18.0 and 6 scanners flag 2.17.63. I expect these to continue to get flagged with new releases, which is difficult for customers and could result in some teams creating broad exclusion rules for the AWS CLI if there's no easy way to reduce these detections.
I see past discussions about this didn't get anywhere for various reasons (e.g. AWS signs with a PGP detached signature). Can AWS confirm these are false positive detections and/or recommend any way for customers or scanning vendors to avoid these false detections?
Regression Issue
Expected Behavior
Clean malware scans
Current Behavior
Several detections in malware scanners
Reproduction Steps
Pull the versions with recent detections - 2.17.63 and 2.18.0 directly from AWS and match the SHA-1s.
2.18.0: (eb90309bf6a4bb23cc13892a6b058527560600c3)
2.17.63: (fb7db612844de3496d805e4d2ec34e4762f6677e)
Possible Solution
Change signing method if it's a cause? Work with third-party scanners to reduce FP detections? Pin an advisory for this in the short term?
Additional Information/Context
No response
CLI version used
2.17.63, 2.18.0
Environment details (OS name and version, etc.)
linux-x86_64