search

jpillora / chisel

A fast TCP/UDP tunnel over HTTP
MIT License
12.35k stars 1.32k forks source link

Resolve Anti-virus false positive #229

Open aaronps opened 3 years ago

aaronps commented 3 years ago

I tried the following:

As soon as chisel.exe is written, the antivirus complains.

I see this is the second time something similar happens: #157 I'm not going to use this or try to compile from source but at least let you know it happens.

Recommend to check the binaries on a windows system before uploading to Github.

jpillora commented 3 years ago

Unfortunately there’s not much I can do. It’d be great to get someone with Go experience and a Windows machine to figure out what’s causing the false positive

On Thu, 24 Dec 2020 at 8:43 pm Aaron Perez Sanchez notifications@github.com wrote:

I tried the following:

  • Downloaded twice
  • Checked the hashes
  • Uncompressed with 7zip
  • Uncompressed with gunzip in git bash prompt

As soon as chisel.exe is written, the antivirus complains.

I see this is the second time something similar happens: #157 https://github.com/jpillora/chisel/issues/157 I'm not going to use this or try to compile from source but at least let you know it happens.

Recommend to check the binaries on a windows system before uploading to Github.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/229, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X47NEDN33FTGS7VKZWTSWMELXANCNFSM4VIAQXWA .

lsjeng commented 3 years ago

Kaspersky Lab. antivirus: chisel_1.7.3_windows_amd64 -> HEUR:HackTool.Win32.Chisel.a

I try to compile from source but it's still complains by Kaspersky Lab. antivirus.

MeestorX commented 3 years ago

I submitted a false positive to Avast and Windows AntiSpam (or whatever it's called today), and so far only Avast has replied.

Hello,

Thank you for submitting this.

Our virus specialists have removed the threat detection, however, it will be still classified as a PUP - potentially unwanted.

Please find further details in the following article: Avast Clean Guidelines.

With regards,

Avast Customer Care

jpillora commented 3 years ago

Compiled a windows executable from source and submitted to virus total

https://www.virustotal.com/gui/file/5e226f43e42af9a0ba5a7a9364813bc97bb8e0373b0a1522eaa1ccdfe857b49b/detection

image

So for future reference, compiling from source won't help

I guess it's technically correct. It can be used as a "hack tool" but so can ssh(1). I'll leave this open so people can find it though not sure what we can do other than put anti-anti-virus measures in place, and I don't want to go down that road, though I'm open to other solutions

brandonros commented 2 years ago

Is there a Powershell command that achieves the same as clicking into Windows Defender control panel -> "Allow threat" -> Start actions?

xinhuang commented 2 years ago

For those who're not looking for an alternative: I used a hexeditor and replaced all chisel to murloc (case insensitive, all 6-char string should work) so that it bypassed Windows Defender. Tested both 32 and 64 bit on Version: 1.7.6 (go1.16rc1).