Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Executable created after embedding assemblies using Costura.Fody detected as a virus #161

Closed
ravibpatel opened this issue Jun 12, 2016 · 10 comments
Closed

Executable created after embedding assemblies using Costura.Fody detected as a virus #161

ravibpatel opened this issue Jun 12, 2016 · 10 comments

Comments

@ravibpatel
Copy link

I use ILRepack to merge my assemblies in to one executable in the past but Costura.Fody do the job better. After using Costura.Fody many users reported that the executable is flagged as a virus This is not a problem when I used ILRepack to merge my assemblies. I know it is a false positive but is there anyway I can prevent this?
@SimonCropp
Copy link
Member

Your best bet is to contact the company that makes the virus scanner

@rubinsh
Copy link

rubinsh commented Dec 29, 2016

Got this as well with Avira anti virus.

@Jaben Jaben mentioned this issue May 17, 2017
Closed
@jimbobmcgee
Copy link

@SimonCropp - perhaps that's your best bet. Mine is simply not to use your library.

Since your approach is the thing that the AV vendors' heuristics finds questionable, perhaps you are best placed to explain to them how to more-accurately detect if it actually is.

Close/WontFix-ing and telling your consumers to do your dirty work for you is hardly the best way forward here...

@SimonCropp
Copy link
Member

SimonCropp commented May 31, 2017
edited

@jimbobmcgee i have been through this at least a dozen times with virus vendors over the years. for many projects that have nothing to do with this project or IL manipulation. For every one of those cases there is nothing u can do but raise an bug with virus vendor.

telling your consumers to do your dirty work for you is hardly the best way forward here...

When you pay me money you have the right to call yourself a "customer". until then this is a community project and users of it have just as much responsibility to "do the dirty work" as me.

I can see your your GitHub history you have not had an opportunity to contribute meaningful in over 12 months

image

So perhaps solving this issue for yourself will give you that opportunity

@distantcam
Copy link
Member

Chances are, the virus makers are using Costura, and if so, the anti-virus makers are using Costura's signature to "detect" those viruses. Therefore any change to Costura won't help as the anti-virus makers are detecting "Costura applications" rather than the viruses themselves.

So the only way to fix this is to contact the anti-virus makers.

@ravibpatel
Copy link
Author

ravibpatel commented Jun 1, 2017
edited

I fixed my problem by just changing the GUID of my application. Changing 1 character from A to B does the trick. So I think Simon is right anti-virus is to blame for this.

@jimbobmcgee
Copy link

@SimonCropp - the regularity with which I contribute to Github projects is not in question, nor is it relevant. Ad hominem is not a reasonable response to a valid-enough argument. I expect you've taken exception to my description of engaging AV vendors as "your dirty work". Personal/tonal differences aside, I do perceive this as the responsibility of the supplier, not the consumer; if you don't, we'll have to agree to disagree.

I am not your 'customer' (which I never said). I am not even directly your 'consumer', so I don't have to pay you a dime. It is a downstream project that is affected by this issue, and they have chosen to package up their app with your code. That is affecting my ability to consume their app; I guess they are stuck by your Close/Won't-fix.

If you have engaged with antivirus vendors about this very issue, fair play to you. I assume from your tone that you have had little joy with them, but have any of them described the conditions which cause their heuristics to flag a concern? Is it a matter of encryption (i.e. if the resources were packaged but unencrypted, it wouldn't happen), or is it the practice of embedding DLLs/EXEs itself?

If we're simply looking at file hashes that have been submitted and shared by some cloud security service, then @ravibpatel is probably correct -- changing anything that alters the binary will 'fix' the issue, but we'll be in a race to the bottom with whoever is submitting the hashes.

I imagine that @distantcam is correct. If so, of course that isn't your fault. But without some guidance from the guy who should know about this better than anyone, your downstream consumers are screwed!

@distantcam
Copy link
Member

so I don't have to pay you a dime

@jimbobmcgee Correct, you don't pay us. And likewise we don't owe you anything either. We don't owe you a solution to this problem, or a way forward. We work on this project for free, in our free time. We donate our time to this project. And then we are constantly harassed about doing the right thing, and that we don't care about our users. Meanwhile when we ask if anyone else is also willing to help out with the project by working on it in their free time and contribute, that suggestion falls on deaf ears.

I think the difference here is that GitHub provides an easy way for people to provide feedpack, and ask for things to be fixed. As opposed to other 3rd party packages (anti-virus, obfuscators, etc) that are less easy to give feedback to. And so it's us poor open source maintainers who get the pointy end of peoples frustration. With no financial compensation for what we give to the community.

So please, stop using the things we give you for free. Tell others to stop using it too.

@jimbobmcgee
Copy link

jimbobmcgee commented Jun 7, 2017
edited

@distantcam, @SimonCropp - I'm not trying to harass you, and I am not unappreciative of the time and effort you have put into your free community project. I'm not asking for special treatment of my issue. In fact, its not even my issue.

It was a downstream project that was experiencing the issue, which in turn prevented me from downloading their updates. I have since separately resolved my original issue with that project, advised their maintainer of my findings and suggested that, if they see fit, I personally have no need of the pre-packaged, portable application that Costura provides. I believe that suitably complies with your wishes that I no longer use your things, and advise others not to.

I understand that this issue is not something you believe you can fix outright. If I could help you in any way, I would be happy to try but, beyond AppDomain.CurrentDomain.AssemblyResolve += (s, e) => Assembly.Load(Assembly.GetEntryAssembly().GetManifestResourceStream(e.Name).ToByteArray()); at runtime, dynamic assembly packaging and loading is not in my wheelhouse.

Since this is something you seem to understand better than I, you must realise that you are better placed to describe the problem to antivirus vendors, if asked. Note that I am not explicitly or implicitly asking you to do that for me. If I were asked to describe the problem, I would have to say "I embedded a component I didn't write, which does something I don't need, and your AV product doesn't like it." I'm fairly certain I know what the vendor's response would be (if any), and I would be inclined to agree.

However, I am interested in helping if I can, so I would be interested to know the outcomes of the previous dozen times you have engaged with them. If you are able to share them, perhaps between us we (or future participants) can fathom a definitive resolution.

In the meantime, however, in the spirit of cooperation, I offer the below (free-use, no-attribution):

--- README.md	Wed Jun  7 18:54:50 2017
+++ README.md	Wed Jun  7 19:26:54 2017
@@ -29,6 +29,7 @@
   - [Native Libraries and PreloadOrder](#native-libraries-and-preloadorder)
 - [CosturaUtility](#costurautility-link)
 - [Icon](#icon-link)
+- [Known Issues](#known-issues)
 - [Contributors](#contributors-link)
 
 # How it works [:link:](#contents)
@@ -217,6 +218,14 @@
 
 <a href="http://thenounproject.com/noun/merge/#icon-No256" target="_blank">Merge</a>  from The Noun Project
 
+# Known Issues [:link:](#contents)
+
+## Antivirus false positives
+
+In some extremely rare cases, applications packaged using Costura can trigger the scanners from some antivirus vendors.  Attempts have been made to contact these vendors but, so far, they have only evaluated this on a case-by-case basis and have not provided adequate insight into the heuristics that trigger these alerts.  If your compiled application triggers a virus alert, such as *MSIL.Crypto* (or its variants) and you are certain that you have not inadvertantly packaged a file containing malicious code, it might be possible to overcome this by simply recompiling your application using different strings in your `AssemblyInfo.cs` file (or language-specific equivalent), or by making some other trivial change that results in a slightly-different binary output.  If this does not resolve the issue with your packaged application then, unfortunately, the Costura developers are unable to assist further.
+
+**Note to antivirus vendors:** If you are able to assist with determining a more holistic solution to this problem, please contact **TBC**.
+
 # Contributors [:link:](#contents)
 
  * [Cameron MacFarland](https://github.com/distantcam)

I like to believe that we start our open-source projects because we want to help people with a similar needs. If you feel that only paying customers are allowed to request assistance when your implementation presents additional headaches for consumers, you should probably put details of a PayPal, Patreon, or similar in your readme, and summarise your rates (apologies if I missed this somewhere).

If you do not appreciate feedback from your consumers (paying or otherwise), perhaps you should close the Issues tracker. As we have already determined, I don't use Github very much, but I believe you can do so by unchecking the Issues checkbox in the Settings ➡️ Features section of your repository dashboard.

But, if this is not the case, you should be aware that "Your best bet is to contact the company that makes the virus scanner" (however politely/jovially intended) reads like "Go tell someone who cares".

If you feel that I am simply unreasonable, fair enough; perhaps we should all just take a deep breath, have a cup of tea and a sit down.

@distantcam
Copy link
Member

Your best bet is to contact the company that makes the virus scanner. There's nothing we can do on our end. However you want to read that, it means we cannot fix this.

Your misunderstanding of that statement is what leads to you thinking that we don't care. You're right, if we didn't care we wouldn't even bother having issues. We do care, and so we say this is the best way to fix this problem, and then people get angry and say passive aggressive things like "perhaps that's your best bet. Mine is simply not to use your library".

Frankly I've had enough of entitled developers coming along and saying "your open source product sucks because you won't fix my specific problem, and now I'm not going to use your product and tell everybody it sucks". Whether you meant it that way or not, that's how it came across. It's not the first time that comment has been made, and it won't be the last either. If you really didn't mean it that way then perhaps you could have worded it better for next time, and perhaps think more carefully about how your comments might come across.

This thread is no longer useful.

@Fody Fody locked and limited conversation to collaborators Jun 11, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@SimonCropp @rubinsh @distantcam @ravibpatel @jimbobmcgee