Detected as Virus/Trojan by Microsoft Defender when installed from VS code

[adic3x]

Extension installed from VS Code downloaded from official site (https://code.visualstudio.com/)

*:\Users***.vscode\extensions\golang.go-0.41.0\bin\vscgo.exe (MD5 c93025a0a7a7ac3db48a0333af22fd0e)

Detected: Trojan:Win32/Wacatac.B!ml

Cool.

[jkruza]

I just got the same...

[joeyell]

Same here

[ecerichter]

I've updated the MSAV, and the problem remains. Does this file presents real threat or it's a false positive?

[hyangah]

This is a false positive. This is https://github.com/golang/vscode-go/blob/master/vscgo/main.go and also see https://go.dev/doc/faq#virus.

Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension, instead of letting the extension install the binary using go install when getting activated. But it is unclear to me if that's sufficient to make those virus scanners silent. As far as I know other extensions also bundle go binaries, for example GH copilot or google cloud code. Have the virus scanners complained them?

[adic3x]

Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.308.0) fix this issue, so it really looks like false positive.

From the beginning I thought it was more likely an M$ problem. Anyway it would be nice if the golang developer team and M$ both collaborated to avoid false positives without compromising the security of the system.

[jkruza]

@hyangah ,

thanks for quick response. I think everyone here was suspecting false positive, but we needed someone to check and confirm :)

But it is unclear to me if that's sufficient to make those virus scanners silent

Not sure either - most likely the presence/use of binary is the trigger, not the way it was delivered...

[Lercher]

I'm getting this, which I guess is related. However, I don't know if its due to some corporate policy:

[qmuntal]

Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension, instead of letting the extension install the binary using go install when getting activated. But it is unclear to me if that's sufficient to make those virus scanners silent.

This will help lowering the chances of false positive. MS Defender don't like applications that install software without user interaction.

[rmc47]

Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension

This, coupled with signing the binary with a code signing certificate, would be the best bet: most anti-malware solutions attach reputation to both the file hash (which will vary by release) and the certificate used to sign it (which will vary much more rarely), so code signing any PEs is a really good way of avoiding reputation-based false positives.

(Sadly it does come with a financial cost for the certificate, though - there's no equivalent of Let's Encrypt for code signing certs - yet!)

[gopherbot]

Change https://go.dev/cl/565679 mentions this issue: extension/src/goMain: skip vscgo installation on windows

[gopherbot]

Change https://go.dev/cl/565680 mentions this issue: [release] extension/src/goMain: skip vscgo installation on windows

[hyangah]

We are going to release v0.41.1 tomorrow. The version disables vscgo invocation on windows.

Release candidate - https://github.com/golang/vscode-go/releases/tag/v0.41.1-rc.1

3186 is the issue to revise the release workflow and reenable vscgo.

Thanks for reporting and investigating this issue.