Open h3rb opened 9 months ago
Sadly we don't know why - all we can do is mention on the release page. We got the program cleared on Windows Defender, maybe we could submit to Google too..
Pulled the redirected url https://objects.githubusercontent.com/github-production-release-asset-2e65be/205895782/1a8e3ee4-2218-427d-b235-deaa61abf9c4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240716%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240716T215932Z&X-Amz-Expires=300&X-Amz-Signature=79248cb4e4bb719e6313ccfb1d063b71eba938f008ac8e194afbce0eeb585329&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=205895782&response-content-disposition=attachment%3B%20filename%3DBrogueCE-1.13-windows-x86_64.zip&response-content-type=application%2Foctet-stream
from the release download for windows and ran it through an online malicious file scanner. https://www.virustotal.com/gui/url/c3913d84dc09e073544cd86726bc620756f30f28502298c0f312961a62c1ec08?nocache=1
.
The file is being flagged by both Anity-AVL and URLQuery. One as malicious and the other as Suspicious. As for why, it does not give the details.
Carbon Black Cloud also blocks the exe. "Barys is suspected malware and was blocked"
Maybe the source code is clean but the build tools used to make official release are not and introduce malicious byte code ? As a test, has it been build on a new Windows PC with freshly installed build tools ?
Maybe the source code is clean but the build tools used to make official release are not and introduce malicious byte code ? As a test, has it been build on a new Windows PC with freshly installed build tools ?
The build uses Github actions, so we're assuming that environment is virus free and secure. I suspect that the changes made to support multiple variants is the cause of the false detection . The variant code manipulates pointers which perhaps is a pattern also used by some malware. My knowledge in this domain is very limited.
Someone could speculatively try a different optimization setting sent to mingw32-make SYSTEM=WINDOWS BrogueCE-windows in the build.yml
Perhaps -O3 or -O2.
I saw a stack overflow answer that suggested that solved their issue. It makes sense, it might rearrange the bytes enough that whatever heuristic the virus checker is using doesn't trigger.
Ah, thanks for looking into it - we already build with -O2, though I suppose it's worth a try to change it to 1 or 3.
Interestingly, the poster of that SO thread resolved the problem by using a different mingw (presumably mingw-w64 instead of the original one?) I have no idea which we use - I think the one pre-installed on the Actions runners, which might be the old one, so maybe I should finally get around to updating the build to use MSYS2 with latest mingw-w64...
These are the options: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html
You could try -Oz or -Os
Presumably it's being flagged either because of a false positive in the data matching a pattern, or it trying to use instructions deemed unsafe.