search

mesonbuild / meson

The Meson Build System
http://mesonbuild.com
Apache License 2.0
5.49k stars 1.59k forks source link

Virus detected in .msi installers of 0.56.2, 0.56.1 #8285

Open amezin opened 3 years ago

amezin commented 3 years ago

0.56.2 is detected by Microsoft Defender as Trojan:Win32/Ymacco.AA80

I understand that there could be 1-2 false positives. But 18 seem too suspicious.

gregsskyles commented 3 years ago

When I flagged the 0.56.2 detection to the folks at Malwarebytes, they cleared it almost immediately as a false positive. This was in part because it was detected by their AI-based heuristic detector, and not because of an actual validated signature based on known malware.

I'm guessing that the business of 'exe-ifying' the Python script (if you have run the installer, the resulting MESON.EXE file was also flagged) looks a bit dodgy to antivirus software.

On 01-Feb-21 12:24, Aleksandr Mezin wrote:

*

0.56.0: zero detections:
https://www.virustotal.com/gui/file/57b949555708567b3d7f5153d51a42d5f917f8ffca9bdbd550ee220025588e40/detection
<https://www.virustotal.com/gui/file/57b949555708567b3d7f5153d51a42d5f917f8ffca9bdbd550ee220025588e40/detection>

*

0.56.1: detected by 7 engines:
https://www.virustotal.com/gui/file/24242aae3d307c3f174815c8a14cbef0b0b5ea1a182093064c44b7906214d2b5/detection
<https://www.virustotal.com/gui/file/24242aae3d307c3f174815c8a14cbef0b0b5ea1a182093064c44b7906214d2b5/detection>

*

0.56.2: detected by 18 engines:
https://www.virustotal.com/gui/file/4213cbeef0619887509ee236641cb4f58e61e984e4df8feb1cba993bff313695/detection
<https://www.virustotal.com/gui/file/4213cbeef0619887509ee236641cb4f58e61e984e4df8feb1cba993bff313695/detection>

0.56.2 is detected by Microsoft Defender as Trojan:Win32/Ymacco.AA80

I understand that there could be 1-2 false positives. But 18 seem too suspicious.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mesonbuild/meson/issues/8285, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADH34NFSEYIAPKNJ56AUXILS4YUHJANCNFSM4W4CRC7Q.

cbu392 commented 3 years ago

Flagged by 17 antivirus engines ! https://www.virustotal.com/gui/file/4213cbeef0619887509ee236641cb4f58e61e984e4df8feb1cba993bff313695/detection

jpakkane commented 3 years ago

The MSI packages are built on a separated VM that is not used for anything else. Thus it is unlikely (though possible) to contain an actual virus. This is a sucky situation to be in, though, because all future releases are probably going to be similarly flagged. Is there a way to fix this issue somehow?

tylerretzlaff commented 3 years ago

There are two separate points where the .msi is being blocked, this comment addresses the one raised when trying to download the .msi. (As opposed to false detection when actually installing or trying to run meson.exe).

When downloading the warning indicates that the application had not established reputation with the Microsoft Defender SmartScreen Application Reputation feature at that time.

The .msi is not signed using a valid digital certificate. Unsigned files will have to establish reputation each time a new version is released. Application Reputation warnings are meant to indicate when applications do not have known positive reputation. This doesn’t mean that the application is malicious, only that it is “unknown.” Users can still proceed to download and run the application.

If establishing reputation immediately is critical, you may want to consider investing in an EV Authenticode certificate. A valid EV Authenticode certificate can immediately establish reputation with SmartScreen reputation services even if no prior reputation exists. In order to be considered a valid EV certificate, the certificate must be issued by a Certificate Authority that is authorized by the Microsoft Trusted Root Certificate Program and recognized as an Extended Validation issuer.

eli-schwartz commented 3 years ago

I think those are also pretty expensive, and no one is offering free EV certification to open source software in the public interest...

According to Google, Certum offers a relatively cheap open source option, but that still costs money on a profitless endeavor.

amezin commented 3 years ago

0.57.1 isn't detected by MS Defender anymore (now I can download .msi on a fresh Windows 10 VM and it doesn't get deleted immediately at least)

gregsskyles commented 3 years ago

On the other 'part' of the issue (the meson.exe file itself, not the installer), this report from Hitman Pro indicates that there might be a couple of things to do to make the exe look better to AV software:

Name    meson.exe
Location    C:\Users\GregSkyles\Downloads\capa
Size    2.9 MB
Time    51.4 days ago (2021-02-09 23:41:49)
Entropy    8.0
SHA-256 801D0D9E9812B65221AA6A364482211638ACD7062EE1F154AEE153BA6A420071

Detection Names
Bitdefender    Trojan.GenericKD.45623169

Scoring (114.0)
One or more antivirus vendors have indicated that the file is malicious.
Entropy (or randomness) indicates the program is encrypted, compressed
or obfuscated. This is not typical for most programs.
Authors name is missing in version info. This is not common to most
programs.
Version control is missing. This file is probably created by an
individual. This is not typical for most programs.

I'm not sure how much effort it would take to add author and version control information; does this also take an expensive code-signing certificate?

eli-schwartz commented 3 years ago

https://github.com/mesonbuild/meson/blob/558a7bc6ff875f233b2ab7531e59e296b98032bd/packaging/createmsi.py#L189-L196

Version is there in the WiX generator script? Author is not, but Manufacturer is.

AlpyneDreams commented 2 years ago

This problem is occuring again on 0.60.2 for both the MSI and meson.exe. Microsoft Defender is flagging it again.

0.60.2 MSI: https://www.virustotal.com/gui/file/2900f8b9d400222e0b9b949a988a3e0dfe58687d3638c2637555f8d530065b56

0.60.2 meson.exe: https://www.virustotal.com/gui/file/6327979f549dececc6f924a451d2f3d4448110fac6a62a4ba2595c480648ba22

The MSI for 0.60.1 and 0.60.1.1 both trigger multiple AVs, but not Microsoft Defender, which is only happening again with 0.60.2

gregsskyles commented 2 years ago

Interesting; I just tried to run the 0.60.2 msi on my Win 10 system, and MS Defender said nothing. And yet on VirusTotal it shows as detected by MS Defender Microsoft as Trojan:Win32/Sabsik.FL.B!ml

My guess is a false positive (the !ml suffix smells of machine learning based similarity to other malware seen in the past).

AlpyneDreams commented 2 years ago

Should note I am on Windows 11.

jpakkane commented 2 years ago

I suspect that as long as there are viruses made with Python, these false positives will keep popping up and we can't really prevent it. The best you can do is to report these to AV vendors and hope for the best. :(

eli-schwartz commented 2 years ago

Well, you could also throw money at Microsoft and bribe them to say you're a known, trusted OSS project with an EV cert...

(lol)

gbeatty commented 2 years ago

ClamAV is flagging the latest 0.61.2 windows installer msi. Flagging: meson-0.61.2-64.msi/meson.cab/dist_meson.exe Threat: Win.Malware.Teddy-9918275-0