Windows binary contains a Virus?

[G100g]

Hi, I'm downloading the last Windows binary with Chrome, but Chrome alert me it contain a Virus.

Please check your binary and let me know if you need some help. Best

[niutech]

It looks safe, only Cylance marks it as unsafe, according to VirusTotal, but this may be a false positive.

[tombh]

Some context to why this is happening: https://github.com/browsh-org/browsh/issues/58

[derekbtw]

Chrome won't let me download the Windows binary either. Downloading via curl won't work either. Try opening the file and Windows gives me this:

[ElvenSpellmaker]

It seems Windows Defender also picks this up:

[DanielRuf]

Can anybody zip the binary, protect it with the password infected and upload it here as attachment so I can forward it to add it to the whitelists?

[DanielRuf]

If there are multiple binaries affected, please attach them on the same way.

[tombh]

The trouble is the binary changes for every new release. I suspect this is more likely triggered by the domain name problems from yesterday right? And when I make a new release (sometime in the next few hours), the fingerprint will change and maybe the error will stop?

[tombh]

I just released a new version: https://www.brow.sh/downloads/

Does that still get the virus warning?

[G100g]

no more virus warning

Just this message

[G100g]

No sorry. After click on "keep" option, same virus warning

[DanielRuf]

No sorry. After click on "keep" option, same virus warning

Can you please zip it, protect it with the password infected and attach it here?

[G100g]

Sorry, but the problem is that I can't download the file. Window Defender does not allow me to do it :(

[DanielRuf]

Please try to disable Defender in the Windows settings for a short time. If you are not confident I can do that too in a few minutes.

PS: password should now be infected instead of secure, maybe I forgot that it was always infected or different AV vendors use different passwords.

[G100g]

Here we are browsh_1.2.3_windows_amd64.zip

[niutech]

I've checked _browsh_1.2.3_windowsamd64.exe with VirusTotal and it seems safe - apart from Cylance, Ikarus claims it has PUA.GoLang, which in my opinion is a false positive. My local Avast antivirus also marks it clean.

[tombh]

Great that the binaries are starting to be marked as clean again. We're not completely out of the woods yet though :/

[DanielRuf]

Just Cylance left

https://www.virustotal.com/#/file/103950e3d8df978edf7f6513870cdf93c92ee00d9ccf808021abd914e1280a8a/detection

And the replied on Twitter, they created an internal ticket.

[derekbtw]

Uh, oh...

Windows Defender

Alert level: Severe Category: Trojan Details: This program is dangerous and executes commands from an attacker.

Alert

webfile: \browsh_1.2.3_windows_amd64.exe|https://github-production-release-asset-2e65be.s3.amazonaws.com/58327877/b9029614-8426-11e8-8a76-e7b162a75379?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20180711%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20180711T045442Z&X-Amz-Expires=300&X-Amz-Signature=f017a0998256285f0df465037c0af45f7f0971f2bd9ae66d1bfa607e99e1ee5d&X-Amz-SignedHeaders=host&actor_id=3450398&response-content-disposition=attachment%3B%20filename%3Dbrowsh_1.2.3_windows_amd64.exe&response-content-type=application%2Foctet-stream|pid:8448,ProcessStart:131754659486143152

[DanielRuf]

Windows uses the other services too + machine learning and the cloud. I saw no detection of a specific MS engine at VirusTotal.

[DanielRuf]

Currently just Cylance is left https://www.virustotal.com/#/file/103950e3d8df978edf7f6513870cdf93c92ee00d9ccf808021abd914e1280a8a/detection

[tombh]

Cylance still holding out :man_facepalming:

[DanielRuf]

Asked them again to take a look at it and resolve the false positive.

[tombh]

Thanks again :)

I just uploaded the latest release and now there's another red flag! https://www.virustotal.com/#/file/63688c7b09d88fd99226b0be7e553b9564cd5e2d7378ed38c69c4624e9193a47/detection :laughing:

[DanielRuf]

Still Cylance =( I'll try to escalate this.

[DanielRuf]

That would be new for me that MS uses Cylance or that is used in Google Chrome. It depends on your installed AV solution.