New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Executable created after embedding assemblies using Costura.Fody detected as a virus #161
Comments
Your best bet is to contact the company that makes the virus scanner |
Got this as well with Avira anti virus. |
@SimonCropp - perhaps that's your best bet. Mine is simply not to use your library. Since your approach is the thing that the AV vendors' heuristics finds questionable, perhaps you are best placed to explain to them how to more-accurately detect if it actually is.
|
@jimbobmcgee i have been through this at least a dozen times with virus vendors over the years. for many projects that have nothing to do with this project or IL manipulation. For every one of those cases there is nothing u can do but raise an bug with virus vendor.
When you pay me money you have the right to call yourself a "customer". until then this is a community project and users of it have just as much responsibility to "do the dirty work" as me. I can see your your GitHub history you have not had an opportunity to contribute meaningful in over 12 months So perhaps solving this issue for yourself will give you that opportunity |
Chances are, the virus makers are using Costura, and if so, the anti-virus makers are using Costura's signature to "detect" those viruses. Therefore any change to Costura won't help as the anti-virus makers are detecting "Costura applications" rather than the viruses themselves. So the only way to fix this is to contact the anti-virus makers. |
I fixed my problem by just changing the GUID of my application. Changing 1 character from A to B does the trick. So I think Simon is right anti-virus is to blame for this. |
@SimonCropp - the regularity with which I contribute to Github projects is not in question, nor is it relevant. Ad hominem is not a reasonable response to a valid-enough argument. I expect you've taken exception to my description of engaging AV vendors as "your dirty work". Personal/tonal differences aside, I do perceive this as the responsibility of the supplier, not the consumer; if you don't, we'll have to agree to disagree. I am not your 'customer' (which I never said). I am not even directly your 'consumer', so I don't have to pay you a dime. It is a downstream project that is affected by this issue, and they have chosen to package up their app with your code. That is affecting my ability to consume their app; I guess they are stuck by your Close/Won't-fix. If you have engaged with antivirus vendors about this very issue, fair play to you. I assume from your tone that you have had little joy with them, but have any of them described the conditions which cause their heuristics to flag a concern? Is it a matter of encryption (i.e. if the resources were packaged but unencrypted, it wouldn't happen), or is it the practice of embedding DLLs/EXEs itself? If we're simply looking at file hashes that have been submitted and shared by some cloud security service, then @ravibpatel is probably correct -- changing anything that alters the binary will 'fix' the issue, but we'll be in a race to the bottom with whoever is submitting the hashes. I imagine that @distantcam is correct. If so, of course that isn't your fault. But without some guidance from the guy who should know about this better than anyone, your downstream consumers are screwed! |
@jimbobmcgee Correct, you don't pay us. And likewise we don't owe you anything either. We don't owe you a solution to this problem, or a way forward. We work on this project for free, in our free time. We donate our time to this project. And then we are constantly harassed about doing the right thing, and that we don't care about our users. Meanwhile when we ask if anyone else is also willing to help out with the project by working on it in their free time and contribute, that suggestion falls on deaf ears. I think the difference here is that GitHub provides an easy way for people to provide feedpack, and ask for things to be fixed. As opposed to other 3rd party packages (anti-virus, obfuscators, etc) that are less easy to give feedback to. And so it's us poor open source maintainers who get the pointy end of peoples frustration. With no financial compensation for what we give to the community. So please, stop using the things we give you for free. Tell others to stop using it too. |
@distantcam, @SimonCropp - I'm not trying to harass you, and I am not unappreciative of the time and effort you have put into your free community project. I'm not asking for special treatment of my issue. In fact, its not even my issue. It was a downstream project that was experiencing the issue, which in turn prevented me from downloading their updates. I have since separately resolved my original issue with that project, advised their maintainer of my findings and suggested that, if they see fit, I personally have no need of the pre-packaged, portable application that Costura provides. I believe that suitably complies with your wishes that I no longer use your things, and advise others not to. I understand that this issue is not something you believe you can fix outright. If I could help you in any way, I would be happy to try but, beyond Since this is something you seem to understand better than I, you must realise that you are better placed to describe the problem to antivirus vendors, if asked. Note that I am not explicitly or implicitly asking you to do that for me. If I were asked to describe the problem, I would have to say "I embedded a component I didn't write, which does something I don't need, and your AV product doesn't like it." I'm fairly certain I know what the vendor's response would be (if any), and I would be inclined to agree. However, I am interested in helping if I can, so I would be interested to know the outcomes of the previous dozen times you have engaged with them. If you are able to share them, perhaps between us we (or future participants) can fathom a definitive resolution. In the meantime, however, in the spirit of cooperation, I offer the below (free-use, no-attribution):
I like to believe that we start our open-source projects because we want to help people with a similar needs. If you feel that only paying customers are allowed to request assistance when your implementation presents additional headaches for consumers, you should probably put details of a PayPal, Patreon, or similar in your readme, and summarise your rates (apologies if I missed this somewhere). If you do not appreciate feedback from your consumers (paying or otherwise), perhaps you should close the Issues tracker. As we have already determined, I don't use Github very much, but I believe you can do so by unchecking the Issues checkbox in the Settings ➡️ Features section of your repository dashboard. But, if this is not the case, you should be aware that "Your best bet is to contact the company that makes the virus scanner" (however politely/jovially intended) reads like "Go tell someone who cares". If you feel that I am simply unreasonable, fair enough; perhaps we should all just take a deep breath, have a cup of tea and a sit down. |
Your best bet is to contact the company that makes the virus scanner. There's nothing we can do on our end. However you want to read that, it means we cannot fix this. Your misunderstanding of that statement is what leads to you thinking that we don't care. You're right, if we didn't care we wouldn't even bother having issues. We do care, and so we say this is the best way to fix this problem, and then people get angry and say passive aggressive things like "perhaps that's your best bet. Mine is simply not to use your library". Frankly I've had enough of entitled developers coming along and saying "your open source product sucks because you won't fix my specific problem, and now I'm not going to use your product and tell everybody it sucks". Whether you meant it that way or not, that's how it came across. It's not the first time that comment has been made, and it won't be the last either. If you really didn't mean it that way then perhaps you could have worded it better for next time, and perhaps think more carefully about how your comments might come across. This thread is no longer useful. |
I use ILRepack to merge my assemblies in to one executable in the past but Costura.Fody do the job better. After using Costura.Fody many users reported that the executable is flagged as a virus This is not a problem when I used ILRepack to merge my assemblies. I know it is a false positive but is there anyway I can prevent this?
The text was updated successfully, but these errors were encountered: