Windows Bearfoos virus associated with rye 0.15.2

[BruceEckel]

Steps to Reproduce

I did a rye self update just now and my Windows Defender (I'm on Windows 11) fired up and said it contained the "Bearfoos" virus and deleted rye.

I've removed all the rye artifacts and will reinstall it (and report results here) but wanted to capture the issue before doing so. @

Expected Result

Normal update

Actual Result

The "Learn more" link takes you here:
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AWin32%2FBearfoos.A!ml&threatid=2147731250

Version Info

When I went to https://rye-up.com/ and tried to download "rye-x86_64-windows.exe for 64bit Intel Windows" I got a similar Windows defender response:

Stacktrace

No response

[BruceEckel]

When I downloaded the install executable for 0.15.1 Windows defender found no issues, so it seems to be something in 0.15.2

[BruceEckel]

Successfully installed 0.15.1

[mitsuhiko]

Surprisingly this file does not trigger in Windows Defender for me. I submitted a false positive report to Windows Defender.

Submission case https://www.microsoft.com/en-us/wdsi/submission/2babfd93-15a5-42ff-8ce9-f78f18745daf

[mitsuhiko]

I uploaded the file and it came back as not malware:

Maybe Microsoft fixed it in the meantime?

[BruceEckel]

I'm not seeing any problems with it on my desktop machine (also Windows 11). I will recheck it on my laptop, which is where I saw the problem.

[BruceEckel]

Yes, there was a Windows Defender update and once I applied it on my laptop I could successfully install 0.15.2 without any virus warning. I think my desktop is set to automatically update and the laptop wasn't.

[mitsuhiko]

Thank you for validating!

[BruceEckel]

Of course. Thank YOU for this project. I know it's still experimental but it's become my default build tool for Python.

[mitsuhiko]

Seems to be happening every once in a while, so I'm going to reopen it. I will also add it to the FAQ for now until a solution has been found. Still no trojan in it :P

[Muream]

Just for reference, I am running into this except it gets picked up as the Wacatac Trojan

It happened with both rye self update going from 0.24.0 to 0.25.0 and downloading the installer from the website

[mitsuhiko]

Still taking suggestions for what can be done here :(

[ported-pw]

You are pretty much going to need to code signing to increase executable trust vs. Microsoft, but they recently got a lot more expensive because you are required to use FIPS-compliant hardware or similar to store the keys now.

[yuanhao-li]

You are pretty much going to need to code signing to increase executable trust vs. Microsoft, but they recently got a lot more expensive because you are required to use FIPS-compliant hardware or similar to store the keys now.

this could be an option.

Also in some Orga, there's a file reputation with Symantec. If the file reputation is low, rye is not usable. Maybe this info will help.

https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Glossary/file-reputation-v32546090-d49e18645.html#:~:text=The%20file%20reputation%20indicates%20how,information%20about%20the%20file's%20characteristics.

[mitsuhiko]

Maybe this is something that astral can eventually address, but honestly from where I stand this is largely a problem that those companies (Microsoft, Broadcom etc.) need to deal with.

[ported-pw]

It's basically in the nature of the project to be picked up by behaviour/likeness to actual malware.
You have something that downloads and runs other code from elsewhere on the internet, which is essentially what a malware dropper/RAT does. So the only way is to keep submitting builds to Microsoft and other AV vendors as false positives and/or to start signing builds.