marcus-crane
commented
2 years ago FYI @leaanthony
Closed marcus-crane closed 2 years ago
marcus-crane
commented
2 years ago FYI @leaanthony
marcus-crane
commented
2 years ago The NSIS Installer isn't new so that seems fine 🤔
marcus-crane
commented
2 years ago I've filed a submission to the Microsoft Security Intelligence team so hopefully they should be able to get back to me shortly with an update on why October is being flagged by Windows Defender.
marcus-crane
commented
2 years ago Interestingly, the one segment of October that is detected is only marked as malicious using the Cloud definitions. Apparently the Client definitions are fine. It's not really clear what either of those things mean but I guess client is perhaps a Windows VM running checks?
Anyway, the results are still processing and it'll be probably a few days until I get a response.
marcus-crane
commented
2 years ago Well, this is dumb. v1.0.2 is apparently clear even though it has exactly the same software content as v1.0.1 (besides being compiled with CGO_ENABLED=1) so I'm pretty clearly leaning towards a false positive here. Hopefully Microsoft can shed some light.
leaanthony
commented
2 years ago It might be the embedded webview2 bootstrapper i guess? You could always compile with the -download flag instead of -embed and see if that makes a difference?
marcus-crane
commented
2 years ago I received a response from the Microsoft Defender team:
The warning you experienced indicates that the application had not established reputation with the Microsoft Defender Smart
Screen Application Reputation feature at that time. We can confirm that the application "october.exe", (SHA256-"c0d25673e712364601b4e1a462e8373a46eba338aefa87960aa49831d33e1c95”) has since established reputation and attempting to
download or run the application should no longer show any warnings.
Please note, however, that the submitted files are not signed using a valid digital certificate. Unsigned files will have to establish reputation each time a new version is released.
Application Reputation warnings are meant to indicate when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown.” Users can still proceed to download and run the application. If establishing reputation immediately is critical, you may want to consider investing in an EV Authenticode certificate. A valid EV Authenticode certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists.
In order to be considered a valid EV certificate, the certificate must be issued by a Certificate Authority that is authorized by the Microsoft Trusted Root Certificate Program and recognized as an Extended Validation issuer.
Thank you for contacting Microsoft.While the macOS build is signed with my own developer certificate, I figured there might be an equivalent for Windows builds but it wasn't quite so clear what the consequences were.
I geuss I'll need to invest in an EV Authenticode certificate to sign the Windows builds so they aren't accidentally marked as malicious every time I do a release.
marcus-crane
commented
2 years ago Unsurprisingly they aren't cheap đź’° Anyway, I probably need to do #42 first since I don't think I can do Windows codesigning on a macOS build agent
marcus-crane
commented
2 years ago This was completed by #54
In line with https://github.com/marcus-crane/october/discussions/39#discussioncomment-2555562, I've fired up a Windows VM and to my surprise, the newest version of October gets quarantined by Windows Defender.
This wasn't the case with 0.9.4-post2 so I'll need to review any added dependencies to see if they're triggering this issue.