Open fbaldassarri opened 1 year ago
Peter0x44
commented
1 year ago Well, I think you will have to figure out on your end how to mark the specific zip or directory you extract it to as safe with your antivirus. There is nothing that can be done on the other end, short of paying some $$$ for a signing certificate. Really, in my view, the antivirus is really just a protection racket scheme to sell signing certificates.
fbaldassarri
commented
1 year ago Well, I think you will have to figure out on your end how to mark the specific zip or directory you extract it to as safe with your antivirus. There is nothing that can be done on the other end, short of paying some $$$ for a signing certificate. Really, in my view, the antivirus is really just a protection racket scheme to sell signing certificates.
Don't want to discuss opinions about antiviruses in general (I am forced to have one by my company), but... Aren't you curious to know the reason why C++ version has been marked with Gen:Variant.Ransom.Hive.9 malware trying to resolve the issue?
Peter0x44
commented
1 year ago Not really, because that message is to me totally meaningless...
some of my w64devkit-compiled programs got deleted by windows defender with equally informative messages:
I am pretty sure no meaningful action can be taken here, but that isn't my call to make.
Obviously these sorts of error messages are deliberately written in the most scaremongering way possible, I don't think there is any useful info there at all. If the antivirus developers wanted to do that, they would write something actually meaningful to a human.
skeeto
commented
1 year ago No antivirus at VirusTotal has a finding in 1.17.0, with 79 explicitly saying "clean," including BitDefender:
https://www.virustotal.com/gui/url/4901d7d4b290df4595f7d24afbb680754d9c13557654f2153fa0b8d8810373fb https://www.virustotal.com/gui/url/f999c8b2e5d2dfe8b7da498844b292a56f5f0cec3af08c9a55a1b6b328596a5c
The 32-bit version is equally clean:
https://www.virustotal.com/gui/url/c988344c60d7e367c2938bd5362f8a061ec48b9dd58f6b3bdea0fa25109bd0c5
False positives do happen, and as far as I know, my only available option is to digitally sign (via osslsigncode) each of the 229 binaries in the release. Even this wouldn't fully prevent false positives, merely reduce the likelihood. I assure you my zips here are clean. They are built and signed (via passphrase2pgp) on a dedicated Raspi4. (Though of course it's trivial to build for yourself, and if you review the ~600 lines in this repository you don't have to trust me at all!)
Windows and antivirus care about origin, and so it makes a difference whether you download executables from the internet (worst case), network share with an IP host (highly suspicious), network share with a named host (mildly suspicious), thumb drive, or even optical drive (highly trusted). I test in a VM snapshot of a fresh install, and I bring builds in using a virtual optical drive mounting an ISO (genisoimage) in part because it goes more smoothly than a suspicious network transfer.
Sometimes you can "launder" untrusted executables by processing them with a program opaque to Windows. For example, when extracting w64devkit.zip using the built-in Windows .zip feature, (besides being glacially slow) will leave taint, but processing it with w64devkit's zip.exe makes it appear as though the zip program is the source of those executables.
The same goes for downloading. Windows knows about browsers and recognizes internet downloads whether or not you use Edge. Also, as you saw, browsers have their own built-in antivirus. You'll have better luck if you download outside of a browser such as using w64devkit's "wget" command or even the Windows "curl" command.
Finally, if you're the audience for w64devkit, then you're not the sort of user who benefits from antivirus. It's at best a nuisance and at worst a liability that reduces your security. If the option exists, your situation improves by disabling it as much as possible. However, obvious advice is obvious and I assume you've already considered it!
fbaldassarri
commented
1 year ago Thanks for the deep analysis @skeeto! I just wanted to highlight the possible issue for the non-pro users (and I was honestly a little curious on what caused the wrong detection).
Fun fact: Edge Chromium on Mac OS Ventura with Bitdefender Total Security installed (threats database up to date), and no threats detected on 1.70.0 releases. ;)
Bitdefender marks w64devkit-1.17.0.zip and w64devkit-mini-1.17.0.zip as threads saying: w64devkit-(mini-)1.17.0.zip tried to load a malicious resource detected as Gen:Variant.Ransom.Hive.9 and was blocked. Suspicious activity blocked.
Feature: Antivirus
Blocking the downloads of the files themselves through browsers.
I don't know if it happens also with other antivirus or smart screens.