volta-cli / volta

Volta: JS Toolchains as Code. ⚡
https://volta.sh
Other
11.08k stars 233 forks source link

Trojan found via winget update #1867

Open Sjoo90 opened 2 months ago

Sjoo90 commented 2 months ago

This came up for me when I runned winget update --all for Volta.Volta

It's swedish, but I think you can find out. image

Sjoo90 commented 2 months ago

image

charlespierce commented 2 months ago

Hi @Sjoo90, that's odd! The MSI was built by our CI job (like all of our other releases). Are there any more details about why that antivirus thinks it's a trojan?

jsejcksn commented 2 months ago

VirusTotal shows no detections of malicious behavior for that MSI artifact…

…but there is a note about potential false positive alerts that might be generated for the file:

⚠️ Matches rule _Windows_APIFunction from ruleset _Windows_APIFunction at https://github.com/InQuest/yara-rules-vt by InQuest Labs

This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.

@Sjoo90 Does the SHA256 checksum match? (You can use the Get-FileHash PowerShell utility on Windows to generate checksums.) The expected hash is

61c49446a032c077695f922cefeddc96f546de2a5f4be043d8428ce44a1b90e8
Sjoo90 commented 2 months ago

image

After uninstall and install again via winget, I still get trojan warning: image

charlespierce commented 2 months ago

Hi @Sjoo90 similar to @jsejcksn, I'm not seeing any issues with the installer. I cleared it out, installed from winget, then ran a full Windows Defender scan on my machine and found no vulnerabilities.

Given that the SHA matches the expected value (which I think is required by Winget anyway), my only hypothesis right now is that you're running into a false positive with the virus scan. If there are more details about what is found, that might help us understand why it's getting flagged as a false positive (though in my experience, virus scan programs are light on details to not give attackers more info than necessary on how to evade).

Edit: Another possibility - Could volta.exe be infected by something after the installation? Can you calculate the hash of the file on disk? I was able to get a SHA512 value using the following command:

certutil -hashfile 'C:\Program Files\Volta\volta.exe' SHA512

Which gave me the following hash on the file installed from Winget:

efc61525f634358f3cb4bacc1ef5b4f02d3985254038da61c5a86db74296583254a78bc9efb5bedd6246033551af3fcbe3f5196e95aea8c53a50f88d9bf70cb3
charlespierce commented 2 months ago

Alternatively, using Get-FileHash I get the SHA256 of volta.exe to be:

C6EB40664964ED96E29D6E24E5948448BCDCFA29EE742FBE7B928458B4C4BF5F