ruihildt
commented
6 months ago Thanks, I have forwarded to the devs and will follow up.
As mentioned in the thread, it's not the first time an installer is flagged by antivirus as a false positive.
Closed SkewedZeppelin closed 1 month ago
ruihildt
commented
6 months ago Thanks, I have forwarded to the devs and will follow up.
As mentioned in the thread, it's not the first time an installer is flagged by antivirus as a false positive.
SkewedZeppelin
commented
6 months ago Thanks. I'm not too concerned, but 29 detections seemed a bit high for the usual false positive.
ruihildt
commented
6 months ago As you may have seen elsewhere, ideally we would automatically submit new builds to get alerted as soon as possible, but it has not been a priority so far.
ruihildt
commented
6 months ago This file is NSIS's localization support.
It has had this hash since 13.5a4 (I read on changelogs we updated NSIS to 3.09 in that release and switch from GCC to Clang) (...) Anyway, a false positive almost for sure.
The problem for which our installers (and Ricochet's) are flagged but others aren't is that not many projects build with this configuration (64-bit + mingw-clang). The course of action here is probably to report the false positive to antiviruses.
I'll note that previous alpha didn't have the install variant, since this is a WIP, probably why this has not been encountered yet.
SkewedZeppelin
commented
6 months ago @ruihildt appreciate the clarification
I suspect the real issue is that for whatever reason it is triggering Windows error reporting which makes it looks like it makes network connections which is why it gets flagged.
Is it perhaps compiled in some debug release mode?
PieroV
commented
6 months ago I suspect the real issue is that for whatever reason it is triggering Windows error reporting
What do you mean? Have you seen crashes in that DLL?
In 13.5a4 we switched from GCC to Clang also for NSIS (we finally found a way to build the system plugin without the full GCC). Also, we updated to NSIS 3.09, but in my various tests for the system installer I didn't get any crash. NSIS isn't officially compatible with Clang (because of the system plugin, which uses a preprocessed assembly module), we have to patch it. So, basically nobody has the same signature as us (still, our builds are reproducible byte by byte, so you can check that we're not adding malware to the builds).
Of course, we are ready to revert these changes, if needed.
However, we sign only the final installer, we don't sign any other binary, neither the ones that get installed, nor the ones that get extracted to a temporary directory to be used by the installer itself (like this LangDLL.dll).
Is it perhaps compiled in some debug release mode?
I think we build in release. We don't really specify the mode, but if I understand correctly scons (the tool used by NSIS) builds in Release by default if I understand correctly.
ruihildt
commented
1 month ago I will close this as latest alphas don't seem to trigger any antivirus flags. See: https://www.virustotal.com/gui/file/440979e7ee48ad6300ca868435009f6ad9444d798c8dffbbe90c6a8d3ae9721c
Feel free to open a new issue if needed.
Latest mullvad-browser-windows-x86_64-install-13.5a6.exe appears to drop a file LangDLL.dll which has 29 detections on VirusTotal: https://www.virustotal.com/gui/file/cda679d62e2852d900f412239e7c01a64a928db6c0cc03b8fa0c1eabdfe815c4
Reported here https://discuss.privacyguides.net/t/mullvad-browser-trojan-script-wacatac-b-ml/17753