search

sparrowwallet / sparrow

Desktop Bitcoin Wallet focused on security and privacy. Free and open source.
https://sparrowwallet.com/
Apache License 2.0
1.36k stars 192 forks source link

1.8.4 flagged as malware #1310

Closed user7901 closed 7 months ago

user7901 commented 8 months ago

Sparrow 1.8.4. on Windows 11 When a wallet is opened is created an ".tmp" file at "...\AppData\Roaming\Sparrow\hwi..." With 1.8.3 and 1.8.4 versions Bitdefender flags that file as "Gen:Variant.Lazy.456623" (a trojan.lazy/infostealer). Uploading the file to virustotal.com it gives 28 detections of that variant, so it is not only a Bitdefender false positive. I send a pdf of that detections. sparrow.pdf

craigraw commented 8 months ago

It is (as you say) a false positive. Antivirus programs use heuristics (non exact matching) to try identify files, which means false positives happen. The file the AV is flagging is HWI, a well known program written by @achow101 (a Bitcoin Core maintainer) which has recently has a new release, v2.4.0.

Note the HWI file the AV is flagging can be deterministically built from source, so we can be sure of what it does - the binary file matches exactly.

You can do two things - configure your antivirus to stop monitoring the ...\AppData\Roaming\Sparrow\hwi folder (which doesn’t change) and report this false positive to your AV vendor. With enough reports, hopefully the we can get the AV algorithms to change.

Technical note:

If you wish to confirm that this is not a virus, here are the steps to do so:

  1. Download the windows specific .zip from https://github.com/bitcoin-core/HWI/releases/tag/2.4.0.
  2. Extract hwi.exe from the zip file and compare it against the .tmp file in ...\AppData\Roaming\Sparrow\hwi. You can use a tool like diff to ensure that it is an exact match, byte for byte.
  3. If you wish to go further, you can build hwi.exe yourself deterministically, so you can verify that the release binary is actually compiled from the source. There are instructions to do so here.
user7901 commented 8 months ago

It is (as you say) a false positive. Antivirus programs use heuristics (non exact matching) to try identify files, which means false positives happen. The file the AV is flagging is HWI, a well known program written by @achow101 (a Bitcoin Core maintainer) which has recently has a new release, v2.4.0.

Note the HWI file the AV is flagging can be deterministically built from source, so we can be sure of what it does - the binary file matches exactly.

You can do two things - configure your antivirus to stop monitoring the ...\AppData\Roaming\Sparrow\hwi folder (which doesn’t change) and report this false positive to your AV vendor. With enough reports, hopefully the we can get the AV algorithms to change.

Technical note:

If you wish to confirm that this is not a virus, here are the steps to do so:

1. Download the windows specific .zip from https://github.com/bitcoin-core/HWI/releases/tag/2.4.0.

2. Extract `hwi.exe` from the zip file and compare it against the .tmp file in `...\AppData\Roaming\Sparrow\hwi`. You can use a tool like `diff` to ensure that it is an exact match, byte for byte.

3. If you wish to go further, you can build `hwi.exe` yourself deterministically, so you can verify that the release binary is actually compiled from the source. [There are instructions to do so here](https://hwi.readthedocs.io/en/latest/development/release-process.html#deterministic-builds-with-docker).

Thanks, I made an exception to Bitdefender and will wait for new versions because I don't like to put exceptions for long time

MarMan420 commented 8 months ago

Sparrow 1.8.4. on Windows 11 Same issue with McAfee but there is no way to exclude the folder as the AppData\Roaming\ folder is hidden so you can't exclude it. Also noted it only creates file when connecting to sparrow with a Trezor, not Ledger or Passport wallet.

craigraw commented 8 months ago

For McAfee users, you can also do the following:

  1. Copy the file McAfee is flagging (hwi2.4.0...tmp) to some other location.
  2. Exclude that file from McAfee scan
  3. Close Sparrow
  4. Open the file AppData\Roaming\Sparrow\config in Notepad
  5. Change the value of the "hwi" entry to point to the file McAfee is now excluding
  6. Save the config file and exit Notepad
  7. Restart Sparrow
MarMan420 commented 8 months ago

This is a great solution until I dump McAfee… Thank you Craig!

On Fri, Mar 15, 2024 at 2:56 AM, craigraw @.***(mailto:On Fri, Mar 15, 2024 at 2:56 AM, craigraw < wrote:

For McAfee users, you can also do the following:

  • Copy the file McAfee is flagging (hwi2.4.0...tmp) to some other location.
  • Exclude that file from McAfee scan
  • Close Sparrow
  • Open the file AppData\Roaming\Sparrow\config in Notepad
  • Change the value of the "hwi" entry to point to the file McAfee is now excluding
  • Save the config file and exit Notepad
  • Restart Sparrow

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.***>

user7901 commented 8 months ago

(Sparrow 1.8.4., Windows 11) I started to put an exception to Bitdefender (to the folder containing the .tmp files); but today it flagged another 7 types of files, including sparrow.exe !!! Linux is not an alternative to my job, neither to put "n" permanent exceptions (including 1 system folder); creating VM only for Sparrow linking to my BTC node could be a path, but I prefer the KISS approach. So returned to 1.8.2. till this problem is solved; note: 1.8.3. has also problems with antivirus.

user7901 commented 7 months ago

1.8.5. solved the antivirus problems, thanks