Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Flagged by windows 10 as trojan. #7

Closed
Suresh-Subedi opened this issue Feb 27, 2021 · 6 comments
Closed

Flagged by windows 10 as trojan. #7

Suresh-Subedi opened this issue Feb 27, 2021 · 6 comments
Labels
documentation Improvements or additions to documentation

Comments

@Suresh-Subedi
Copy link

image

@Xeevis
Copy link

Xeevis commented Feb 27, 2021

VirusTotal lists just 3 engines detecting it as malicious.

image

If I recompile it myself then it drops Cybereason and McAfee, but triggers Cynet instead. Most likely just false positive.

image

@ndbeals
Copy link
Owner

ndbeals commented Feb 28, 2021

Thanks for the report and thanks @Xeevis for looking into it already, though you scanned the 64bit executable whereas this issue is about the 32bit executable.

I'm basically here to report what Xeevis said though.

I don't know why it's triggering as a trojan under Windows defender (or as a trojan on any of the virus total scanners). These are false-positives. My best guess is some AV heuristic flagging some of the stuff I do with pipes and win32 security API, I don't know for certain though.

Here's the virus total scan of the 32bit v1.1 executable downloaded today from the release page. You can confirm that the exe you have, and the one this website scanned are the same by running sha256sum winssh-pageant.exe the output should be 0ae3f79..., which can be compared against the hash in the virustotal page.

And here's a scan of the same v1.1 32bit program, but built at a different time.

The large discrepancy between amount of threats found on what amounts to a nearly identical executable is evidence that these indeed are false positives. Further evidence of false positives IMO is that the 64bit executable from the same v1.1 release has only two false positives. FWIW I didn't actually expect many users of the 32bit version, and don't use it myself.

That all being said, if you are still concerned about these AV reports, compiling the software yourself is very easy with instructions included in the README, as well as a more in-depth build.ps1

@Xeevis
Copy link

Xeevis commented Feb 28, 2021

@ndbeals Thanks for your response and a great tool! It might be worth noting that wsl-ssh-pageant has this exact same issue.
benpye/wsl-ssh-pageant#38

On the side note, it might be beneficial to support reproducible builds so hashes don't change when compiled from same source so build artifacts are verifiable to be coming from given source. To my understanding this should be possible with the -trimpath?

@ndbeals
Copy link
Owner

ndbeals commented Mar 1, 2021

Thanks for that link, I'm looking into reproducible builds as well.

@ndbeals ndbeals added the documentation Improvements or additions to documentation label Mar 5, 2021
@ndbeals ndbeals closed this as completed Mar 5, 2021
@laundmo
Copy link

laundmo commented Apr 8, 2021

v1.2 has some false positives on VT too, i voted for it and commented links to this issue and the Golang FAQ.

  1. could this issue be re-opened as it is in fact still a issue that people should find easily?
  2. i recommend commenting on future VT detections, so people can easily see that these are false positives.

@ndbeals
Copy link
Owner

ndbeals commented Apr 9, 2021

v1.2 is identical to v1.1, just built as a reproducible build. Could you link where you voted for it and commented the links? thanks.

There's a section in the readme regarding AV false positives (https://github.com/ndbeals/winssh-pageant#antivirus-flagging) that links to this issue as well, so I'm going to leave this closed because IMO, this is resolved.

People are welcome to open new issues to report AV false positives, but I'm not interested in keeping up with the cat-and-mouse game that are AV flags/false positives.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation
Projects
None yet
Development

No branches or pull requests

4 participants