extension.bundle.js detects as Trojan

microsoft / pylance-release

Documentation and issues for Pylance

Creative Commons Attribution 4.0 International

1.7k stars 769 forks source link

extension.bundle.js detects as Trojan #4967

Open intervisionlord opened 11 months ago

intervisionlord commented 11 months ago

Related to https://github.com/microsoft/pylance-release/issues/2045 (new question because those issue was closed with suggestions to create a new one)

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.20\dist\extension.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\.5535db6a-7490-40c1-9942-044aa4c537ed\dist\sync.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.10\dist\server.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.10\dist\extension.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

intervisionlord commented 10 months ago

A new alerts today after removing previous files by AV:

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\sync.bundle.js
Riskware.Script.Obfuscated.kcdfgx

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\server.bundle.js
Riskware.Script.Obfuscated.kcdfgx

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\extension.bundle.js
Riskware.Script.Obfuscated.kcdfgx

judej commented 10 months ago

One option to fix this is to

run a gh action to check for malware: https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action, https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
based on if malware is found in the bundled files, then rerun the obfuscation with a new seed

intervisionlord commented 10 months ago

It’s not entirely clear how running the action on the GitHub platform will help fix the problem that when you try to update an extension, the antivirus complains about the downloaded files of this extension

rchiodo commented 10 months ago

Jude was talking about how we're going to fix the problem. The bytes in our obfuscated output are matching the signature used to identify the trojan. Obfuscation generates random hex values for the names of functions and occasionally we end up matching some series of bytes for a virus. One solution would be for us to check for this scenario and if it happens, redo the obfuscation.

intervisionlord commented 10 months ago

Thanks a lot for the explanation

rocka0 commented 10 months ago

I just wanted to add on about my experience. I recently performed a full scan on my system and it seems pylance was somehow involved in what got flagged as a trojan:

Should I be worried or was this just a false positive?

rchiodo commented 10 months ago

It should be a false positive. We believe the obfuscated code is generating a byte pattern that matches some trojan. You can double check that you have the released version by installing it directly from the marketplace .

intervisionlord commented 10 months ago

I tried to completely remove the extension from vscode and install the latest version from the store, and upon installation the antivirus complaint occurs again

Name: c:\users\*****\.vscode\extensions\ms-python.vscode-pylance-2023.10.40\dist\extension.bundle.js
Process: c:\users\*****\appdata\local\programs\microsoft vs code\code.exe(19416)
Signature: Riskware.Script.Obfuscated.kcdfgx

It should be a false positive. We believe the obfuscated code is generating a byte pattern that matches some trojan. You can double check that you have the released version by installing it directly from the marketplace .

I believe this could potentially be a false positive. But I believe even more that I installed the antivirus for a reason. And trusting this or that application without a reason, based only on the promises of the developers, is not the smartest idea. Try to understand my concerns.