Windows versions since 1.13 are falsely flagged as a virus

[h3rb]

[tmewett]

Sadly we don't know why - all we can do is mention on the release page. We got the program cleared on Windows Defender, maybe we could submit to Google too..

[nmistry]

Pulled the redirected url https://objects.githubusercontent.com/github-production-release-asset-2e65be/205895782/1a8e3ee4-2218-427d-b235-deaa61abf9c4?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240716%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240716T215932Z&X-Amz-Expires=300&X-Amz-Signature=79248cb4e4bb719e6313ccfb1d063b71eba938f008ac8e194afbce0eeb585329&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=205895782&response-content-disposition=attachment%3B%20filename%3DBrogueCE-1.13-windows-x86_64.zip&response-content-type=application%2Foctet-stream from the release download for windows and ran it through an online malicious file scanner. https://www.virustotal.com/gui/url/c3913d84dc09e073544cd86726bc620756f30f28502298c0f312961a62c1ec08?nocache=1.

The file is being flagged by both Anity-AVL and URLQuery. One as malicious and the other as Suspicious. As for why, it does not give the details.

[paulevans]

Carbon Black Cloud also blocks the exe. "Barys is suspected malware and was blocked"

[Tristan107]

Maybe the source code is clean but the build tools used to make official release are not and introduce malicious byte code ? As a test, has it been build on a new Windows PC with freshly installed build tools ?

[zenzombie]

Maybe the source code is clean but the build tools used to make official release are not and introduce malicious byte code ? As a test, has it been build on a new Windows PC with freshly installed build tools ?

The build uses Github actions, so we're assuming that environment is virus free and secure. I suspect that the changes made to support multiple variants is the cause of the false detection . The variant code manipulates pointers which perhaps is a pattern also used by some malware. My knowledge in this domain is very limited.

[paulevans]

Someone could speculatively try a different optimization setting sent to mingw32-make SYSTEM=WINDOWS BrogueCE-windows in the build.yml

Perhaps -O3 or -O2.

I saw a stack overflow answer that suggested that solved their issue. It makes sense, it might rearrange the bytes enough that whatever heuristic the virus checker is using doesn't trigger.

[tmewett]

Ah, thanks for looking into it - we already build with -O2, though I suppose it's worth a try to change it to 1 or 3.

Interestingly, the poster of that SO thread resolved the problem by using a different mingw (presumably mingw-w64 instead of the original one?) I have no idea which we use - I think the one pre-installed on the Actions runners, which might be the old one, so maybe I should finally get around to updating the build to use MSYS2 with latest mingw-w64...

[h3rb]

These are the options: https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html

You could try -Oz or -Os

Presumably it's being flagged either because of a false positive in the data matching a pattern, or it trying to use instructions deemed unsafe.