Douile
commented
4 months ago This is very alarming, would it be possible to link a virus total scan of the binary?
Open jeroenpelgrims opened 4 months ago
Douile
commented
4 months ago This is very alarming, would it be possible to link a virus total scan of the binary?
jeroenpelgrims
commented
4 months ago This is the report for the Windows binary: https://www.virustotal.com/gui/file/3f62f9add12714eac79cb46512ad39a355964868ffb2a53bc6eafe2f28bc8d7a?nocache=1 This is the report for the Linux binary (this one's clean): https://www.virustotal.com/gui/file/693f3f89837a2e360146b251d55ee782e80635d101cbc3d34121e66dbdb8dc6b?nocache=1
I've created a new release for this issue. The original files can be looked at here: https://github.com/jeroenpelgrims/ynab-belfius/releases
For extra info, my initial comment only mentions 1 detection, but Windows defender showed me 2 threats in the same binary.
Also, this is the Virustotal result for a locally built release (clean, rustc v1.73.0): https://www.virustotal.com/gui/file-analysis/MTBkMmMwZDQ2NGE4NWJjM2M2ZjZlODUwMDE5YWJmM2I6MTcwNzM0MjkyOA==
Douile
commented
4 months ago After a lot of testing I have found that any rust program cross-compiled on alpine linux linked using mingw-w64 seems to get the same detection: https://www.virustotal.com/gui/file/25e247564dc98cb64f386c3b791108467dcd6a69f676fb9587f519c9c8eff197 (I'm not sure if they get detected by windows defender as I don't have windows).
Compiling using cross-rs there is a different detection but the binary is still detected as malicious.
I believe that this is a false positive because the toolchain I used to replicate the detection would require one of the following to be compromised:
If u want to avoid any detections this might be possible by using github actions' windows runner (I haven't tested this):
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- run: cargo build --release
- uses: diamondburned/action-upload-release@main
with:
files: target/release/my-program.exeI had to split up the build and the add-to-release since diamondburned/action-upload-release doesn't seem to support running on Windows, the paths are messed up.
I build on Windows, and then add the binary to the release on a linux job.
on:
release:
types: [created]
jobs:
build:
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
- run: cargo build --release
- uses: actions/upload-artifact@v4
with:
path: ./target/release
if-no-files-found: error
retention-days: 1
overwrite: true
add_to_release:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/download-artifact@v4
with:
path: .
- uses: diamondburned/action-upload-release@main
with:
files: artifact/ynab-belfius.exeBut unfortunately... Same result. Both Virustotal and Windows defender seem to detect threats :(
Thank you for the thorough analysis though.
Douile
commented
4 months ago Was there previous releases that were not detected?
jeroenpelgrims
commented
4 months ago No,
This is (one of) my first time(s):
rust-build.action to make a release of rust code I wrote.I don't have any previous experience with building a release this way. The first detection was literally the first ever binary I managed to build through Github actions.
I'm also aware it might be something I'm doing wrong, but I can't really imagine what since building locally doesn't cause any issues.
lokkju
commented
2 weeks ago I'm having the same issue; did you discover anything further?
jeroenpelgrims
commented
2 weeks ago Hi @lokkju , I haven't found anything more out unfortunately. I only use rust in a few hobby projects of mine.
This is only detected in the binary that was added to the release by this build action.
When I build the executable manually then no issue is detected. The binary produced by the action is also slightly larger than the one built locally. (I don't know if I used the same rust version though, that could have an effect)
In case you want to see the source for what I'm trying to build: https://github.com/jeroenpelgrims/ynab-belfius
I've since removed the offending release from Github.