search

vasilvestre / totk-mod-manager-for-switch-emulators

Zelda: Tears of the Kingdom Mod Manager is an open-source application, designed to assist players of Zelda: Tears of the Kingdom on the Yuzu emulator in managing mods for the game.
https://vasilvestre.github.io/totk-mod-manager-for-yuzu/
BSD 3-Clause "New" or "Revised" License
147 stars 7 forks source link

Suspicious behavior #53

Closed DonFlymoor closed 1 year ago

DonFlymoor commented 1 year ago

According to Virus Total The mod manager :

  1. Installs a raw input device (often for capturing keystrokes)
  2. Queries the volume information (name, serial number etc) of a device
  3. Reads software policies
  4. Sample has functionality to log and monitor keystrokes
  5. Looks at way too much of the registry

This Must be fixed, as is looks exactly like a virus would and could potentially be used for malicious purposes

vasilvestre commented 1 year ago

Thanks for the analysis, I will check the vendor that's supposed to be dangerous.

vasilvestre commented 1 year ago

So I checked forums, and did a few scans.. seems to be a false positive. I will try to implement a security scan but having 1 detection on all scans is often seen as a false positive.

https://www.hybrid-analysis.com/sample/17b1355f1c1574ae73fc0b2c2c80bd1c58af0a93903bab5a78738e776f8637ec

https://www.hybrid-analysis.com/sample/17b1355f1c1574ae73fc0b2c2c80bd1c58af0a93903bab5a78738e776f8637ec

The old version of the app seemed more dangerous, today it's a 2% probability. None of the behaviors are intentional, I try to audit Tauri/rust packages and will see how it goes.

What matters in your scan is this : 1 security vendor and no sandboxes flagged this file as malicious

Apparently, new malware can have a score of 0 so I will add a note to the readme but know that security scan are already running.

vasilvestre commented 1 year ago

https://github.com/vasilvestre/totk-mod-manager-for-switch-emulators/commit/4ee83ee46a9295a1f59ddbe98f616ac99041fe4d

https://github.com/crazy-max/ghaction-virustotal

Virus scan is now executed at release, a report link will be added. I wish total transparency for this project, feel free to reopen if this still seem an issue to you.

vasilvestre commented 1 year ago

According to Virus Total The mod manager :

  1. Installs a raw input device (often for capturing keystrokes)
  2. Queries the volume information (name, serial number etc) of a device
  3. Reads software policies
  4. Sample has functionality to log and monitor keystrokes
  5. Looks at way too much of the registry

This Must be fixed, as is looks exactly like a virus would and could potentially be used for malicious purposes

More info from tauri staff.

Installs a raw input device (often for capturing keystrokes)

Hmm, maybe they mean winit/tao that indeed listens for all os events including keyboard events? 🤔 I doubt that the scans know about the stuff the webview does which ig does do something similar but only when the window is focused.

Sample has functionality to log and monitor keystrokes

Sounds like the same thing as the first one to me.

Reads software policies Looks at way too much of the registry

These ones are weird, i don't think we do that in the exe itself, only in the installer to check for webview2 installations. Actually, we only check the registry, no idea what they mean with software policies.

Queries the volume information (name, serial number etc) of a device

This one i'm not sure about, can't remember seeing us do that though.