search

jpillora / chisel

A fast TCP/UDP tunnel over HTTP
MIT License
13.69k stars 1.41k forks source link

Virus Total and Avast think chisel.exe is a virus #336

Open dillfrescott opened 2 years ago

dillfrescott commented 2 years ago

It doesn't have a very good score on virus total and avast keeps blocking it...

rwhitcroft commented 2 years ago

Try compiling the server and client, then sed -i 's/chisel/chizzl/g' on both client and server binaries to change every occurrence of "chisel" to "chizzl". This is enough to evade Windows Defender and other lazy AV checks.

dillfrescott commented 2 years ago

May I ask why it detects it as malicious in the first place?

rwhitcroft commented 2 years ago

I assume because it can be used as a hacking tool (which is what we use it for), if that's what you mean? A really easy way for AV to flag stuff is to do a simple text search on the binary. Maybe some string in the usage/help text is enough to trigger it.

dillfrescott commented 2 years ago

Ohhh, Sorry, didn't think of that. Thank you for the response!

ghost commented 2 years ago

is it safe to use this workaround, can be detected by AVs later...right?

rwhitcroft commented 2 years ago

It'll work until Defender improves its signature to detect it. If it does, we just figure out what it's flagging now and obfuscate that too. Remember I'm only talking about Defender here - other AVs may not be tricked by a simple text change from chisel to chizzl (or any other 6-char string).

James4Ever0 commented 4 months ago

I think the releases of the software are virus. My server has unexpected access records showing up after using this software. I advocate everyone who is using this software to review the code of it as throughly as possible and compile it yourself.

jpillora commented 4 months ago

The last release was August last year. Compiled by GitHub Actions, the CI code is here in the repo. Only I can release chisel. My account has MFA. So this is extremely unlikely. Can you post evidence for this claim?

Note: if you read other related issues, some AVs report a virus even when you compile it yourself. It’s not that it’s malicious, it’s that there is an AV scanning signature made for chisel.

On Mon, 8 Jul 2024 at 12:25 PM James Brown @.***> wrote:

I think the releases of the software are virus. My server has unexpected access records showing up after using this software. I advocate everyone who is using this software to review the code of it as throughly as possible and compile it yourself.

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/336#issuecomment-2212860581, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X44NLZFCFPAIMAKRHNLZLH2ATAVCNFSM6AAAAABKP5FHRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMJSHA3DANJYGE . You are receiving this because you are subscribed to this thread.Message ID: @.***>