oxen-io / oxen-core

Oxen core repository, containing oxend and oxen cli wallets
https://oxen.io
Other
318 stars 121 forks source link

Antivirus false alarm of oxend.exe and oxen-wallet-rpc.exe from multiple vendors #1650

Open venezuela01 opened 1 year ago

venezuela01 commented 1 year ago

There are Windows users reporting that their antivirus software mislabels multiple version of oxend.exe as Trojan/CoinMiner.dr

Antivirus software homepage: https://www.huorong.cn/

I guess oxen-core shares some code with Monero, and Monero was common used for coin miner viruses, as a result, Antivirus software detects similar code fingerprints from oxend.exe and misclassifies it as a coin miner virus.

I'm asking the user to upload oxend.exe to https://www.virustotal.com/gui/home/upload, will update this ticket later.

See also: https://github.com/oxen-io/session-android-temp/issues/144

venezuela01 commented 1 year ago

https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b

virustotal

venezuela01 commented 1 year ago

Update: Today someone in the Session community complains about anti-virus software reports Oxen as virus.

@KeeJef

KeeJef commented 1 year ago

Which AV program was reporting and on which Oxen version?

venezuela01 commented 1 year ago

Which AV program was reporting and on which Oxen version?

If you follow the link in the 2nd comment (https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b), you can see the Oxen version "oxen-electron-wallet-1.8.1-win.exe"

The screenshot also states which AV vendor labels Oxen as a virus, let me know if you need more specific information, I don't have first hand information either, it was reported by someone in the Session community without specific AV program name, I tagged @KeeJef in the community but you might missed that.

KeeJef commented 1 year ago

Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers

venezuela01 commented 1 year ago

Because so many virus scanners are scanning as a false flag this one is going to be hard to resolve, ill try reaching out to some of those providers

Thank you very much.

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I understand the team is busy and has its priorities. If the team's knowledge can be shared with the community, the community can apply the same knowledge and contribute more when the team is unable to free themselves from multiple tasks.

KeeJef commented 1 year ago

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.

venezuela01 commented 1 year ago

If you could share your knowledge and experience on how you approached antivirus providers last time, I would greatly appreciate it. I can then reach out to some of the providers using the same approach.

I wish I could say it's an easy process, but most of the time it involves manually reaching out to the antivirus operator or parent company and filing a false positive report. Some providers seem to share definition databases, so often you can kill two birds with one stone by reaching out to parent companies. I reached out to Avast today; that should resolve the AVG and Avast flags. Let's see if it resolves others as well.

Understand, thanks for sharing! I'll wait for a week and follow up next Thursday.

venezuela01 commented 1 year ago

Avast and AVG still report Oxen as a virus:

https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1

Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef

KeeJef commented 1 year ago

I'm yet to receive a reply from Avast unfortunately

venezuela01 commented 1 year ago

I'm yet to receive a reply from Avast unfortunately

Thank you very much. Would you mind sharing a bit more knowledge? The last time you contacted Avast about the false alarm for Android sessions, how long did it take to receive a reply, and how long did it take to resolve the false alarm?

venezuela01 commented 1 year ago

I also sent a false positive report to AVG, and I received an email from support@help.avg.com a few days later. I'll upload update if there is any progress.

KeeJef commented 1 year ago

Avast and AVG still report Oxen as a virus:

https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1

Have you received any updates from them? Have they acknowledged that this is a false alarm? @KeeJef

Still haven't received anything back from them, last time i got a response within a week

venezuela01 commented 1 year ago

I received an update from Avast:

Along with the Avast virus specialist, we’ve checked the reported file and changed the threat detection to PUP (potentially unwanted program). The PUP detection is due to lack of compliance with Avast’s clean software policy.

For more information, refer to this article: Avast Threat Labs - Clean guidelines

If you are the owner of the reported file and want to change the detection to clean, feel free to contact us again for a new analysis as soon as the file matches the Avast guidelines.

Thank you for understanding.

I recheck https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1 and I found both AVG and Avast updates the status to PUP (potentially unwanted program)

venezuela01 commented 1 year ago

@KeeJef

Update: both Avast and AVG has responded again and mark the Oxen wallet as valid:

AVAST

Our virus specialists checked the situation again. Based on the findings, the GUI wallet has no violations, but the installed file in resources has the ability to start mining. Wallet detection will be removed, which will be reflected in Avast apps within 24 hours. The detection for the miner executable is evaluated from our side as valid.

Avg

Along with AVG virus specialists, we've checked the reported file. Based on the findings, the detection was removed - https://www.virustotal.com/gui/file/2088a891ce5eab91351655492afb06427b1bc731a80289f904bb07401672c15b?nocache=1. The file is now marked as clean in the AVG virus database. This change may take up to 24 hours to take full effect. Please accept my apology for the inconvenience caused.

venezuela01 commented 1 year ago

I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors

https://github.com/namazso/VirusTotal-FPContacts

KeeJef commented 1 year ago

Ok great!

I'll contact the rest of false positives using the list from https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors

venezuela01 commented 1 year ago

For the record, AVG recommends that we follow their guidelines:

Cryptomining Behavior Guidelines

https://support.avg.com/SupportArticleView?l=en&urlname=avg-threat-lab-cryptomining-behavior-guideline

Mobile Application Clean Guidelines

https://support.avg.com/SupportArticleView?l=en&urlName=avg-threat-lab-mobile-application-clean-guideline&supportType=home

PC Application Clean Guidelines

https://support.avast.com/en-us/article/threat-lab-clean-guideline/#pc

Perhaps some of these guidelines could also be useful for Session/Lokinet as well.

venezuela01 commented 12 months ago

from newvirus @ kaspersky.com

Ticket number [KL-2086153]

Modules oxend.exe and oxen-wallet-rpc.exe are relying on RandomX algorithm. Feel free to remove the code no longer in use and the CryptoMiner classification should disappear on it's own. If it doesn't - you can send us the updated build and we can evaluate it on our side.

from samples @ eset.sk

[TRACK#656814FD016B]

our detection is based on recognition of mining capabilities in the sofware. Please take into account that it does not matter whether mining is runnable or not, it is sufficient we can recognise the code for it. If only RandomX code in your software is responsible for mining and it is no longer used, it could be removed. If our detection persists after the removal of the code responsible for mining, it would be a false positive. As long as there are mining capabilities detected, the detection is correct from our point of view.

from http://mailcenter.rising.com.cn/filecheck_en

Ticket RS20231208101522055421

from support @ sophos.com

Ticket 07127730

venezuela01 commented 12 months ago

Update:

I have contacted about 20 different vendors.

Previously, there were about 23 vendors marking the Oxen installer as not clean; now, there are only 8.

This number goes a bit up and down as sometimes anti virus vendors change their database back and forth.

Oxen wallet antivirus detection

For the remaining 10 vendors marking Oxen as not clean:

For the child files like oxen.exe and oxen-wallet-rpc.exe, there is still more work to do to convince some vendors to update their database.

The last good news is that I have learned some useful experience in communicating with anti-virus vendors. Hopefully, we won't need that skill in the future, but it would be beneficial if we follow those guidelines in the future for Session releases and Lokinet releases, even if we are going to abandon Oxen. In case there is any unfortunate future false alarm for Session/Lokinet, feel free to subscribe me to a GitHub issue, and I'll be glad to volunteer to contact anti-virus vendors.

KeeJef commented 12 months ago

Thanks for your work on this @venezuela01 🙏

venezuela01 commented 9 months ago

@KeeJef @jagerman

Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.

KeeJef commented 9 months ago

@KeeJef @jagerman

Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.

Yes, i believe we tried to remove some of this code from the wallets in a previous release? I think its worth you have a look into @venezuela01

venezuela01 commented 9 months ago

@KeeJef @jagerman Are you open to removing PoW code from oxen-core in a future release? If we completely remove RandomX code, or use #ifdef to disable it for production builds while keeping it for debugging builds, then we will not have to worry about being marked as a virus in future releases. I see that the benefit is small, but if you're interested, I can submit patches. If you're not interested, that's okay with me as well. I can volunteer to contact the 20 antivirus vendors again for once the next maintenance release is out.

Yes, i believe we tried to remove some of this code from the wallets in a previous release? I think its worth you have a look into @venezuela01

I took a quick look at the code and can confirm that the RandomX code is still present in the current Oxen-core codebase. I believe this is necessary for the testnet/devnet when developers occasionally need to bootstrap the network from scratch again. (That's why I was considering disable them only for release build but keep them for debug build.)

I tried a quick hack to completely remove the RandomX library dependency from Oxen-core. However, several antivirus engines from https://www.virustotal.com/ still report flags such as miner or cryptonote. I tried to reverse-engineer their rules by scanning individual libraries rather than the whole binary executable but failed to identify a useful pattern. It seems they use a combination of rules to detect Cryptonote rather than relying on simple characteristics like linker symbols.

Conclusion: I no longer believe there is an easy way to automatically convince antivirus systems to remove the miner or cryptonote flags with minimal code changes in Oxen-core. I withdraw my original proposal. I think contacting them manually whenever there's a false alarm (like malware or virus) might be an easier approach. (And accept the fact in case they insist on flagging with miner or cryptonote)

(However, the clean guidelines for the installers suggested by antivirus vendors are still valid, which is a separate topic.)

KeeJef commented 9 months ago

Hmmmm okay, thanks for the info, fortunately this should be less of a pressing concern in the future as the Session token migration occurs