Open inkuxuan opened 3 months ago
This is serious known-issue but it seems no idea to solve for now. anatawa12 is considering code signing but its really tough... ( #843 )
from #1092, installer exe will be detected as malware with NordVPN
I tested "ALCOM.exe" (same hash as "ALCOM-0.1.7-x86_64.exe") in virustotal. (4/72) https://www.virustotal.com/gui/file/3dc4abdd03a19fed68f454ee352cc2e0d6f6dc8d413a904623af02548d07522f
"ALCOM-0.1.4-x86_64.exe" (3/72) https://www.virustotal.com/gui/file/64883ae29629e23e4664a4b622afa9ed10b0df37d7040efbfb010a70b2268730
"ALCOM-0.1.3-x86_64.exe" (1/73) https://www.virustotal.com/gui/file/1c81b2c992b4ee62fa730983bd7fa9e89d4f3d3893c67b7202057a187dd2018e
"ALCOM-0.1.7-x86_64-setup.exe" (1/68) https://www.virustotal.com/gui/file/65423bbbd067ea2d15891583c3b9596b1e86d74af47842af2f3b4f63348ef037
"ALCOM-0.1.7-x86_64.exe" in Hybrid Analysis https://hybrid-analysis.com/sample/3dc4abdd03a19fed68f454ee352cc2e0d6f6dc8d413a904623af02548d07522f
It looks the first problem is fixed in Microsoft Security Inteligence Version 1.413.187.0?
I put a little research into pinpointing where in the code was causing the anti-virus' to trip, specifically vendors such as Google and Ikarus on VirusTotal, but I wouldn't know a definitive solution to the issue as the code responsible for tripping the vendors is critical to the entire project. From my understanding, the origin comes from the project's vrc-get-vpm workspace which is my guess that I have not been able to confirm.
However, I was able to confirm something weird is going on when playing around with the reqwest crate since I was only able to go as far as the client builder to play around with the detection in VirusTotal. Google and Ikarus don't seem to like it when the client from reqwest is simply built as commenting out one single line is enough to please the vendor's checks.
This still doesn't explain checks failing from vendors such as Trapmine and Bkav Pro but I haven't seem to have any luck with those vendors.
I've pushed commits to view an example of what part of the code is triggering the anti-virus vendors. Note that I commented out a lot of commands for the CLI to give myself more control over the environment. https://github.com/ProffDea/vrc-get/commit/776caf12b4d21f01b0e473e57ba358e612b84283 https://github.com/ProffDea/vrc-get/commit/c382a3c78fe4b61b62276f7c8cf5dc049ec856b2
This is the CLI without any changes. https://www.virustotal.com/gui/file/0e00a45ef5703fded269f803ca3491a4b5d80f577642900368cce8987621be3e?nocache=1
This is the CLI when commenting out the client variable at line 84 in vrc-get/src/commands.rs https://www.virustotal.com/gui/file/dd3da898bfd16d99c9bc4bfb0dca84a6aced8a9f54cb4a558a33fcab5a9d4f34?nocache=1
For the GUI, I did the same thing
This is the GUI without any changes https://www.virustotal.com/gui/file/63a2e4c4b5a09edf32d11a43971e963685c168708a822a84a2f03f592a3b2fa0
This is the GUI when commenting out line 460 at vrc-get-gui/src/commands.rs https://www.virustotal.com/gui/file/fb5bf31089c7ce1fb2a99c731b1ca771bd8a198f59a3ef235731b59e80d7a01c?nocache=1
I wouldn't know where to go from here as tweaking any further requires a lot of work due to the entire project relying on this part of the code, but I hope it gives some insight into what is happening. Maybe when parts of the project is using the client?
EDIT: For the changes in the CLI, notice how i'm simply instantiating the client variable but I'm not actually using it/passing it to any functions. It's just an unused variable. Yet this still upsets Google and Ikarus which indicates to me it's just reqwest or how the client is built with the builder function.
I had a thought and decided to do the following
cargo new testreqwest
cargo add reqwest
use reqwest::Client;
fn main() {
Client::builder()
.user_agent(concat!("testreqwest/", env!("CARGO_PKG_VERSION")))
.build()
.unwrap();
}
cargo build --release
Just this alone triggered the anti-virus. See if there's any alternatives to changing out this piece of the code in the project to make the vendors happy on VirusTotal. https://www.virustotal.com/gui/file/11f92fc8acd1c3e20f07d87f58f1a46dded16213aaaf2817da0708df7ff11820?nocache=1
EDIT: Just for if reqwest is having a lot of issues when it comes to this, if you're interested in an alternative, ureq could be something to be looked into (this is just a note to be left here for the future just in case), but I understand replacing reqwest would take a lot of work in terms of migration. I also don't know if ureq would have the same VirusTotal issues of tripping vendor checks so all-in-all it's a gamble.
I have many projects uses reqwest so I tried one of them, something-releaser v3.0.0 but no anti-virus reported virus.
It uses a little older reqwest so version of reqwest might be related?
exe: https://github.com/anatawa12/something-releaser/blob/fe9889e5fa3f9d3088eacd45c5b8d938b25a26be/src/commands/send_discord.rs#L3 https://www.virustotal.com/gui/file/aadb2520501ff9a7fafc17a8798f590ef6fa4f38088ced89f2a7f7e5f10fd401?nocache=1
It uses a little older reqwest so version of reqwest might be related?
That is a good point. I tried on different versions of reqwest. The most recent version I was able to go to that didn't trip VirusTotal was v0.10.10 but that build was from January 6, 2021... really old. I tried using the most recent commit at https://github.com/seanmonstar/reqwest/commit/695bc0463726bb243e235f17c7f8833974835ec8, but VirusTotal still complained with the same results. v0.11.0 had the same exact complaints so I assume the rest of the builds going forward will have the same problem.
It's weird that the checked version of something-releaser is using reqwest 0.11.3 but your one does trigger anti-virus.
Umm.... if request is triggering anti-virus, it must mean huge bug in anti-virus pattern database so i want to try contacting google/ikarus. I and some user of ALCOM reported false positive to microsoft and it might support fixing false positive for ALCOM.
EDIT: I could not find any place to report false positives.
This made me curious to see the difference between v0.10.10 and v0.11.0 of reqwest of the ClientBuilder so I cloned reqwest and am playing around with it but I doubt I'll turn up with anything, and I also don't know about looking too deep into it.
Since we figured out it's a reqwest issue, all that's left I suppose is to figure out why Trapmine and Bkav pro checks are failing. I wouldn't know where to start for these ones. But at least the main issue of the app being detected as a trojan has been pinpointed to reqwest, and it's not this project's issue.
To confirm reqwest initialization is the root cause of the problem (your try removes entire Environment initialization), I created environment without reqwest client (vrc-get-vpm has offline mode) and it won't detected by google / Ikarus so reqwest client initialization must be the root cause
async fn new_environment(io: &DefaultEnvironmentIo) -> io::Result<Environment> {
Environment::load(None, io.clone()).await
}
Yes, I believe it's https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get/src/main.rs#L51 that is used at https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get/src/commands.rs#L84, and finally this https://github.com/vrc-get/vrc-get/blob/5ece1a26cd7481ffff1700e5c4a42a286c3f7812/vrc-get-gui/src/commands.rs#L337 that are causing the problem. The mere existence of the variable client
is the root cause. Which like you said, would put ALCOM into offline mode.
I could not find any place to report false positive to google / Ikarus so I could not report this false postive to them (sorry for late response)
0.1.8: https://www.virustotal.com/gui/file/da4bdae313e776e5ea858a14bc76091f6ab90615ba60a8e49c4cca9e31cb5917?nocache=1 0.1.8-setup: https://www.virustotal.com/gui/file/ad9b88bd7aa63d0dff66732544ebbb5b85da3b4d62059faa3e2a343b78fad045 0.1.9: https://www.virustotal.com/gui/file/597625d55c84b7493739baa9cff75c4fd1d9bd42a05e02f76b203bb04f8d76c1?nocache=1 0.1.9-setup: https://www.virustotal.com/gui/file/6cb0bcdfa69c952fe09b8278ebdeaf5d85fe88852be40a1fdbdef168eef07761?nocache=1
0.1.7 was detected as Trojan:Win32/Phonzy.B!ml on Windows Defender. 0.1.8, 0.1.9 is detected as Trojan:Win32/Bearfoos.A!ml on Windows Defender.
0.1.11 Windows Setup was detected as PDM.Win32.Generic.nblk on Kaspersky for on launch (so related to behavior), not the file itself. VirusTotal Analysis https://www.virustotal.com/gui/file/aa8f50b3701369146f715f1d94e22078823a67be7f19890157ce93e3d052ea73/detection
Edit:Seem to only be related to the installer (and so by the auto updater)
fyi, 0.1.10: https://www.virustotal.com/gui/file/8bbdcc210f411837846de62ca2aa4be805d1d1c786a711d51c291c9cbc6f5bf5?nocache=1 https://opentip.kaspersky.com/8BBDCC210F411837846DE62CA2AA4BE805D1D1C786A711D51C291C9CBC6F5BF5/results?tab=upload 0.1.10-setup: https://www.virustotal.com/gui/file/870f344a65363d552b84cd21cf2f660dcdf8b0c97b8b181d226589182cf4f8bd?nocache=1 https://opentip.kaspersky.com/870F344A65363D552B84CD21CF2F660DCDF8B0C97B8B181D226589182CF4F8BD/results?tab=upload
At the first time I uploading to opentip, 0.1.11 installer is detected as malware but after analyzing file on the opentip, 0.1.11 installer false positive seems disappeared.
ALCOM-0.1.12-x86_64.exe https://opentip.kaspersky.com/F1657F3A04F947FC25CC5B5FC73B9EC3EECE459458BF4CF7A66E92ED52AC2983/results https://www.virustotal.com/gui/file-analysis/MjljZjYxNTE5NzJhZTYyMTljMDU1ZjYxMGRhOGE5YjU6MTcyMTg4ODU3Mg== ALCOM-0.1.12-x86_64-setup.exe https://opentip.kaspersky.com/11253D427DBA55DF8DE0B6BE24B9B6B39E82DB46752EB7CAEE26BB10060E630C/results https://www.virustotal.com/gui/file/11253d427dba55df8de0b6be24b9b6b39e82db46752eb7caee26bb10060e630c?nocache=1
EDIT: anatawa12
This issue is tracking issue for false-positive malware detections
Original Title: ALCOM being recognized as a Trojan by Windows Defender (Security Center)
Description of the bug / バグの説明
%UserProfile%\AppData\Local\ALCOM\ALCOM.exe is recognized as a Trojan of "Win32/Phonzy.B!ml"
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FPhonzy.B!ml&threatid=2147772963
Steps to Reproduce / 再現手順
Updating ALCOM to version 0.1.7
Expected Behavior / 想定される挙動
Passes the anti-virus check.
Screenshots / スクリーンショット
No response
Software Version / バージョン情報
0.1.7
OS
Windows 11 21H2
Additional context / 補足
No response