search

containers / podman-desktop

Podman Desktop - A graphical tool for developing on containers and Kubernetes
https://podman-desktop.io
Apache License 2.0
4.52k stars 287 forks source link

Kaspersky evaluate Podman Desktop as a trojan #700

Closed vandrep closed 1 year ago

vandrep commented 1 year ago

Bug description

I'm no really sure if this issue fits here, but as soon as podman desktop updates to 0.9.0 my Antivirus is removing all files.

I will include in the exception list, but maybe there's something that can be done to avoid this?

Operating system

Windows 11

Version

0.9.0

Steps to reproduce

Try to install podman desktop 0.9.0 or update from a previous version in a system with Kaspersky Antivirus.

Relevant log output

Free Transalation of the report:

Event: Malicious Object Detected
Application: Podman Desktop.exe
User: <removed>
Component: Sytem Inspector
Description Result: Detected
Type: Trojan
Name: PDM:Trojan.Win32.Generic
Threat Level: High
Object Type: Proccess
Object Path.: <removed>\appdata\local\temp\2gzjjh264u5welickp02iomkk1k
Object Name: podman desktop.exe
Reason: Database
Database version date: Yesterday, 10/25/2022 12:07:00

Original Report in Portuguese:

Evento: Objeto malicioso detectado
Aplicativo: Podman Desktop.exe
Usuário: <removed>
Tipo de usuário: Usuário ativo
Componente: Inspetor do Sistema
Resultado da descrição: Detectado
Tipo: Trojan
Nome: PDM:Trojan.Win32.Generic
Nível de ameaça: Alto
Tipo de objeto: Processo
Caminho do objeto.: <removed>\appdata\local\temp\2gzjjh264u5welickp02iomkk1k
Nome do objeto: podman desktop.exe
Motivo: Bancos de dados
Data da versão dos bancos de dados: Ontem, 25/10/2022 12:07:00

Additional context

No response

benoitf commented 1 year ago

Hello @vandrep thanks for the report. We're using EV Code Signing Certificates on binaries to avoid these reports :-/

benoitf commented 1 year ago

I tried the podman-desktop0.9.0.exe on virus total

https://www.virustotal.com/gui/file-analysis/NmVhNWUxYWEwZmNjY2RlMDk1YjhkNTZlNDkwZGZiNTY6MTY2Njc4OTI0Mg== image

and on the podman-machine installer https://www.virustotal.com/gui/file-analysis/NTE5YzUwYjJlZmRkYmMzOWYyNjBiMjU1YTlhYzg5NTA6MTY2Njc4OTQwNQ==

but it's all green. image

it's also checking with Kaspersky

vandrep commented 1 year ago

Thanks for the quick response!!

The installer isn’t recognized indeed. The installation process completes with no problems.

But then, when the podman-desktop starts, Kaspersky stop it’s process and starts the cleaning.

From the notifications that Kaspersky emits, the problem seems to be with the unpacked podman desktop.exe and also with podman-desktop.vbs.

benoitf commented 1 year ago

you may try to use the Podman Desktop installer (so it's not unpacking in a temporary directory the files) https://github.com/containers/podman-desktop/releases/download/v0.9.0/podman-desktop-0.9.0-setup.exe

benoitf commented 1 year ago

podman-desktop.vbs file is just a shortcut to start Podman Desktop

If possible, could you report the issue following https://forum.kaspersky.com/topic/pdmtrojanwin32generic-spiersedit-palaeontological-software-false-positive-19481/#comment-86154

I tried to submit on the Kaspersky portal and same result https://opentip.kaspersky.com/ (still clean)

vandrep commented 1 year ago

you may try to use the Podman Desktop installer (so it's not unpacking in a temporary directory the files) https://github.com/containers/podman-desktop/releases/download/v0.9.0/podman-desktop-0.9.0-setup.exe

I’ve just tried to install with this option on another machine with McAfee and the result was the same. After installing, the antivirus kills the podman desktop process and clean.

vandrep commented 1 year ago

The notification from McAfee complains about win-sshproxy.exe at Program Files\RedHat\Podman

vandrep commented 1 year ago

Here is the analysis: Adaptive Threat Protection repaired C:\Program Files\RedHat\Podman\win-sshproxy.exe TargetType, because its reputation (Known Malicious) is below the configured Clean threshold. Analyzer / Detector Product name McAfee Endpoint Security Product version 10.7.0.3437 Feature name Real Protect Cloud   Threat Action taken Clean Threat category Malware Detected Threat event ID 35107 Threat handled Yes Threat name Real Protect-PENGSD5!E99B3DBD9035 Threat severity Critical Threat timestamp 26/10/2022 10:34 AM Threat type Trojan   Source Source access time 26/10/2022 10:34 AM Source create time 7/9/2022 1:08 PM Source file path C:\Program Files\RedHat\Podman Source file size 38739456

Source modify time 7/9/2022 1:08 PM Source process name podman.exe   Target Target hash e99b3dbd90351aa0af056bffe1f4e9ca

Target name win-sshproxy.exe Target path C:\Program Files\RedHat\Podman

vandrep commented 1 year ago

Just found this issue: https://github.com/containers/podman/issues/13415

@benoitf , from what I saw on this issue and in it's linked issues, this problem shouldn't be happening anymore. But if that's not the case, please feel free to close this issue, ok?

FilipJirsak commented 1 year ago

Still happening with podman-desktop-0.9.1.exe with current Kaspersky database.

benoitf commented 1 year ago

@FilipJirsak is it possible to report the issue to the support of Kaspersky ?

FilipJirsak commented 1 year ago

I'll try it.

cdrage commented 1 year ago

@FilipJirsak I've gone ahead and submitted a report to kaspersky with regards to the false positive. I recommend following through these steps: https://forum.kaspersky.com/topic/kaspersky-how-to-report-false-positive-22328/ and try submitting it as well.

I'll update this issue if I get a reply back from Kaspersky!

jgowing commented 1 year ago

Just tried installing and running podman-desktop-0.11.0 Check Point Endpoint Anti-Malware detects : PDM:Trojan.Win32.Generic in c:\users...\appdata\local\programs\podman-desktop\podman desktop.exe so I'm not sure if Kaspersky is the problem.

cdrage commented 1 year ago

Which software was this error from? We can try submitting a false positive report again.

jgowing commented 1 year ago

My organization uses products from Check Point - https://www.checkpoint.com/ I don't know, that much about it, but buried within their product line is an Anti-Malware software. Sorry I should have looked more closely before posting. From can tell, I should be able to get my own security team to whitelist the executable.

cdrage commented 1 year ago

My organization uses products from Check Point - https://www.checkpoint.com/ I don't know, that much about it, but buried within their product line is an Anti-Malware software. Sorry I should have looked more closely before posting. From can tell, I should be able to get my own security team to whitelist the executable.

Yeah, from a quick google search it does look like Checkpoint uses Kaspersky underneath: https://community.checkpoint.com/t5/Endpoint/Removal-of-Kaspersky-from-Endpoint-Security/td-p/143729

It's unfortunate, we've been submitting false positive reports for the past 3-4 months and nothing back from Kaspersky but sitting back and waiting.

There's been a few other Electron apps experiencing similar issues.

Jedi-5 commented 1 year ago

My organization uses products from Check Point - https://www.checkpoint.com/ I don't know, that much about it, but buried within their product line is an Anti-Malware software. Sorry I should have looked more closely before posting. From can tell, I should be able to get my own security team to whitelist the executable.

I am also facing the same issue, please help on this @benoitf

cdrage commented 1 year ago

My organization uses products from Check Point - https://www.checkpoint.com/ I don't know, that much about it, but buried within their product line is an Anti-Malware software. Sorry I should have looked more closely before posting. From can tell, I should be able to get my own security team to whitelist the executable.

I am also facing the same issue, please help on this @benoitf

Hi @Jedi-5

Unfortunately there's nothing we can do right now until it's resolved Kaspersky side. I'd either whitelist Podman Desktop or contact your system administrator to add an exception (we had one other user using checkpoint that ended up going that route)

Jedi-5 commented 1 year ago

My organization uses products from Check Point - https://www.checkpoint.com/ I don't know, that much about it, but buried within their product line is an Anti-Malware software. Sorry I should have looked more closely before posting. From can tell, I should be able to get my own security team to whitelist the executable.

I am also facing the same issue, please help on this @benoitf

Hi @Jedi-5

Unfortunately there's nothing we can do right now until it's resolved Kaspersky side. I'd either whitelist Podman Desktop or contact your system administrator to add an exception (we had one other user using checkpoint that ended up going that route)

Sure @cdrage , will do that, Thanks a ton for quick reply.

cdrage commented 1 year ago

It's been a few months since the last update.

Kaspersky is again showing an all-green: https://opentip.kaspersky.com/0B4F2A9273401045F1B42CF9D48E0A4A693857F2C83D4C4570C516DF028D192E/results

For users to this issue:

Try to update your virus database / download the newest version of Checkpoint / Kaspersky.

The latest Kaspersky database shows podman desktop as all green 🎉 .

cdrage commented 1 year ago

Since we have had no new reports since February and Kaspersky is still showing as our .exe being valid, I am going to close this.

At this point, our current solution is:

Update your virus database / download the newest version of Checkpoint / Kaspersky.

bbrandt commented 11 months ago

Seeing similar from Windows Security.

image

Behavior:Win32/SuspiciousScriptFileInStartupFolder.B!cl

This program is dangerous and executes commands from an attacker

file: C:\Users\BenBrandt\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\podman-desktop.vbs