ALCOM being recognized as a Some kind of Malware

[inkuxuan]

EDIT: anatawa12

This issue is tracking issue for false-positive malware detections

---

Original Title: ALCOM being recognized as a Trojan by Windows Defender (Security Center)

Description of the bug / バグの説明

%UserProfile%\AppData\Local\ALCOM\ALCOM.exe is recognized as a Trojan of "Win32/Phonzy.B!ml"

https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FPhonzy.B!ml&threatid=2147772963

Steps to Reproduce / 再現手順

Updating ALCOM to version 0.1.7

Expected Behavior / 想定される挙動

Passes the anti-virus check.

Screenshots / スクリーンショット

No response

Software Version / バージョン情報

0.1.7

OS

Windows 11 21H2

Additional context / 補足

No response

[Sayamame-beans]

This is serious known-issue but it seems no idea to solve for now. anatawa12 is considering code signing but its really tough... ( #843 )

[anatawa12]

from #1092, installer exe will be detected as malware with NordVPN

[Sayamame-beans]

I tested "ALCOM.exe" (same hash as "ALCOM-0.1.7-x86_64.exe") in virustotal. (4/72) https://www.virustotal.com/gui/file/3dc4abdd03a19fed68f454ee352cc2e0d6f6dc8d413a904623af02548d07522f

"ALCOM-0.1.4-x86_64.exe" (3/72) https://www.virustotal.com/gui/file/64883ae29629e23e4664a4b622afa9ed10b0df37d7040efbfb010a70b2268730

"ALCOM-0.1.3-x86_64.exe" (1/73) https://www.virustotal.com/gui/file/1c81b2c992b4ee62fa730983bd7fa9e89d4f3d3893c67b7202057a187dd2018e

"ALCOM-0.1.7-x86_64-setup.exe" (1/68) https://www.virustotal.com/gui/file/65423bbbd067ea2d15891583c3b9596b1e86d74af47842af2f3b4f63348ef037

---

"ALCOM-0.1.7-x86_64.exe" in Hybrid Analysis https://hybrid-analysis.com/sample/3dc4abdd03a19fed68f454ee352cc2e0d6f6dc8d413a904623af02548d07522f

[anatawa12]

It looks the first problem is fixed in Microsoft Security Inteligence Version 1.413.187.0?

[ProffDea]

I put a little research into pinpointing where in the code was causing the anti-virus' to trip, specifically vendors such as Google and Ikarus on VirusTotal, but I wouldn't know a definitive solution to the issue as the code responsible for tripping the vendors is critical to the entire project. From my understanding, the origin comes from the project's vrc-get-vpm workspace which is my guess that I have not been able to confirm.

However, I was able to confirm something weird is going on when playing around with the reqwest crate since I was only able to go as far as the client builder to play around with the detection in VirusTotal. Google and Ikarus don't seem to like it when the client from reqwest is simply built as commenting out one single line is enough to please the vendor's checks.

This still doesn't explain checks failing from vendors such as Trapmine and Bkav Pro but I haven't seem to have any luck with those vendors.

I've pushed commits to view an example of what part of the code is triggering the anti-virus vendors. Note that I commented out a lot of commands for the CLI to give myself more control over the environment. https://github.com/ProffDea/vrc-get/commit/776caf12b4d21f01b0e473e57ba358e612b84283 https://github.com/ProffDea/vrc-get/commit/c382a3c78fe4b61b62276f7c8cf5dc049ec856b2

This is the CLI without any changes. https://www.virustotal.com/gui/file/0e00a45ef5703fded269f803ca3491a4b5d80f577642900368cce8987621be3e?nocache=1

This is the CLI when commenting out the client variable at line 84 in vrc-get/src/commands.rs https://www.virustotal.com/gui/file/dd3da898bfd16d99c9bc4bfb0dca84a6aced8a9f54cb4a558a33fcab5a9d4f34?nocache=1

For the GUI, I did the same thing

This is the GUI without any changes https://www.virustotal.com/gui/file/63a2e4c4b5a09edf32d11a43971e963685c168708a822a84a2f03f592a3b2fa0

This is the GUI when commenting out line 460 at vrc-get-gui/src/commands.rs https://www.virustotal.com/gui/file/fb5bf31089c7ce1fb2a99c731b1ca771bd8a198f59a3ef235731b59e80d7a01c?nocache=1

I wouldn't know where to go from here as tweaking any further requires a lot of work due to the entire project relying on this part of the code, but I hope it gives some insight into what is happening. Maybe when parts of the project is using the client?

EDIT: For the changes in the CLI, notice how i'm simply instantiating the client variable but I'm not actually using it/passing it to any functions. It's just an unused variable. Yet this still upsets Google and Ikarus which indicates to me it's just reqwest or how the client is built with the builder function.

[ProffDea]

I had a thought and decided to do the following

cargo new testreqwest

cargo add reqwest

use reqwest::Client;

fn main() {
    Client::builder()
        .user_agent(concat!("testreqwest/", env!("CARGO_PKG_VERSION")))
        .build()
        .unwrap();
}

cargo build --release

Just this alone triggered the anti-virus. See if there's any alternatives to changing out this piece of the code in the project to make the vendors happy on VirusTotal. https://www.virustotal.com/gui/file/11f92fc8acd1c3e20f07d87f58f1a46dded16213aaaf2817da0708df7ff11820?nocache=1

EDIT: Just for if reqwest is having a lot of issues when it comes to this, if you're interested in an alternative, ureq could be something to be looked into (this is just a note to be left here for the future just in case), but I understand replacing reqwest would take a lot of work in terms of migration. I also don't know if ureq would have the same VirusTotal issues of tripping vendor checks so all-in-all it's a gamble.

[anatawa12]

I have many projects uses reqwest so I tried one of them, something-releaser v3.0.0 but no anti-virus reported virus.

It uses a little older reqwest so version of reqwest might be related?

exe: https://github.com/anatawa12/something-releaser/blob/fe9889e5fa3f9d3088eacd45c5b8d938b25a26be/src/commands/send_discord.rs#L3 https://www.virustotal.com/gui/file/aadb2520501ff9a7fafc17a8798f590ef6fa4f38088ced89f2a7f7e5f10fd401?nocache=1

[ProffDea]

It uses a little older reqwest so version of reqwest might be related?

That is a good point. I tried on different versions of reqwest. The most recent version I was able to go to that didn't trip VirusTotal was v0.10.10 but that build was from January 6, 2021... really old. I tried using the most recent commit at https://github.com/seanmonstar/reqwest/commit/695bc0463726bb243e235f17c7f8833974835ec8, but VirusTotal still complained with the same results. v0.11.0 had the same exact complaints so I assume the rest of the builds going forward will have the same problem.

[anatawa12]

It's weird that the checked version of something-releaser is using reqwest 0.11.3 but your one does trigger anti-virus.

https://github.com/anatawa12/something-releaser/blob/441bf1b7e48dbb045e6f246a6994ec7cb2602ee6/Cargo.lock#L932-L933

Umm.... if request is triggering anti-virus, it must mean huge bug in anti-virus pattern database so i want to try contacting google/ikarus. I and some user of ALCOM reported false positive to microsoft and it might support fixing false positive for ALCOM.

EDIT: I could not find any place to report false positives.

[ProffDea]

This made me curious to see the difference between v0.10.10 and v0.11.0 of reqwest of the ClientBuilder so I cloned reqwest and am playing around with it but I doubt I'll turn up with anything, and I also don't know about looking too deep into it.

Since we figured out it's a reqwest issue, all that's left I suppose is to figure out why Trapmine and Bkav pro checks are failing. I wouldn't know where to start for these ones. But at least the main issue of the app being detected as a trojan has been pinpointed to reqwest, and it's not this project's issue.

[anatawa12]

To confirm reqwest initialization is the root cause of the problem (your try removes entire Environment initialization), I created environment without reqwest client (vrc-get-vpm has offline mode) and it won't detected by google / Ikarus so reqwest client initialization must be the root cause

async fn new_environment(io: &DefaultEnvironmentIo) -> io::Result<Environment> {
    Environment::load(None, io.clone()).await
}

https://www.virustotal.com/gui/file/8217be976acfea5f3cded1f999e336838cf26598f2dcf98dbaef92c893d79287?nocache=1

[ProffDea]

Yes, I believe it's https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get/src/main.rs#L51 that is used at https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get/src/commands.rs#L84, and finally this https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get-gui/src/commands.rs#L337 that are causing the problem. The mere existence of the variable client is the root cause. Which like you said, would put ALCOM into offline mode.

[anatawa12]

I could not find any place to report false positive to google / Ikarus so I could not report this false postive to them (sorry for late response)

[anatawa12]

0.1.8: https://www.virustotal.com/gui/file/da4bdae313e776e5ea858a14bc76091f6ab90615ba60a8e49c4cca9e31cb5917?nocache=1 0.1.8-setup: https://www.virustotal.com/gui/file/ad9b88bd7aa63d0dff66732544ebbb5b85da3b4d62059faa3e2a343b78fad045 0.1.9: https://www.virustotal.com/gui/file/597625d55c84b7493739baa9cff75c4fd1d9bd42a05e02f76b203bb04f8d76c1?nocache=1 0.1.9-setup: https://www.virustotal.com/gui/file/6cb0bcdfa69c952fe09b8278ebdeaf5d85fe88852be40a1fdbdef168eef07761?nocache=1

[Sayamame-beans]

0.1.7 was detected as Trojan:Win32/Phonzy.B!ml on Windows Defender. 0.1.8, 0.1.9 is detected as Trojan:Win32/Bearfoos.A!ml on Windows Defender.

[Spokeek]

0.1.11 Windows Setup was detected as PDM.Win32.Generic.nblk on Kaspersky for on launch (so related to behavior), not the file itself. VirusTotal Analysis https://www.virustotal.com/gui/file/aa8f50b3701369146f715f1d94e22078823a67be7f19890157ce93e3d052ea73/detection

Edit:Seem to only be related to the installer (and so by the auto updater)

[Sayamame-beans]

fyi, 0.1.10: https://www.virustotal.com/gui/file/8bbdcc210f411837846de62ca2aa4be805d1d1c786a711d51c291c9cbc6f5bf5?nocache=1 https://opentip.kaspersky.com/8BBDCC210F411837846DE62CA2AA4BE805D1D1C786A711D51C291C9CBC6F5BF5/results?tab=upload 0.1.10-setup: https://www.virustotal.com/gui/file/870f344a65363d552b84cd21cf2f660dcdf8b0c97b8b181d226589182cf4f8bd?nocache=1 https://opentip.kaspersky.com/870F344A65363D552B84CD21CF2F660DCDF8B0C97B8B181D226589182CF4F8BD/results?tab=upload

[anatawa12]

0.1.11 kaspersky https://opentip.kaspersky.com/AFD35A760818BD63272F2086B135A7398F928C16B9ED1E46C8EDD0AFA974C2F2/results 0.1.11 installer kaspersky https://opentip.kaspersky.com/AA8F50B3701369146F715F1D94E22078823A67BE7F19890157CE93E3D052EA73/results

[anatawa12]

At the first time I uploading to opentip, 0.1.11 installer is detected as malware but after analyzing file on the opentip, 0.1.11 installer false positive seems disappeared.

[anatawa12]

ALCOM-0.1.12-x86_64.exe https://opentip.kaspersky.com/F1657F3A04F947FC25CC5B5FC73B9EC3EECE459458BF4CF7A66E92ED52AC2983/results https://www.virustotal.com/gui/file-analysis/MjljZjYxNTE5NzJhZTYyMTljMDU1ZjYxMGRhOGE5YjU6MTcyMTg4ODU3Mg== ALCOM-0.1.12-x86_64-setup.exe https://opentip.kaspersky.com/11253D427DBA55DF8DE0B6BE24B9B6B39E82DB46752EB7CAEE26BB10060E630C/results https://www.virustotal.com/gui/file/11253d427dba55df8de0b6be24b9b6b39e82db46752eb7caee26bb10060e630c?nocache=1