Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Virus detected #882

Closed
DerBasler opened this issue Nov 15, 2022 · 10 comments
Closed

Virus detected #882

DerBasler opened this issue Nov 15, 2022 · 10 comments

Comments

@DerBasler
Copy link

Issue:
2 Virus scanner report a Trojan.Cometer in the latest exe

How To Reproduce:
Download https://github.com/coreybutler/nvm-windows/releases/download/1.1.10/nvm-setup.exe
Upload it to https://www.virustotal.com/

Expected Behavior:
No virus flaged

Additional context:
This might be a false positive but it does not happen in the https://github.com/coreybutler/nvm-windows/releases/download/1.1.9/nvm-setup.exe version so this was strange.
@0liver
Copy link
Contributor

0liver commented Nov 17, 2022

This, indeed, looks suspicious:

image

But this scan says the file is clean.

I've also checked the exe file using ESET Online Scanner, and it did not detect any virus, either.

So, maybe, VirusTotal is overly sensitive

@coreybutler
Copy link
Owner

coreybutler commented Nov 17, 2022
edited

VirusTotal has always been exceptionally sensitive. Nothing changed in the installer, but my quick and dirty research suggests Trojan.Cometer may be flagged by anything that spawns a hidden window. The installer runs commands to check for existing versions of Node here and here. It also creates the first symlink here. These operations may be inappropriately picked up as "hidden windows".

Bottom line: nothing nefarious is happening, and nothing has changed in this file (other than version numbers) in considerable time. I'm not sure if there is anything that can be done about this other than registering an exception with Google/Ikarus.

@0liver
Copy link
Contributor

0liver commented Nov 17, 2022

Thanks for commenting! That's already a lot of information. I wasn't aware that:

Trojan.Cometer may be flagged by anything that spawns a hidden window

I only chimed to make sure nothing interfered with the packaging process. We're looking forward to using NVM4W at Lombiq really soon!

Kind regards!

@coreybutler
Copy link
Owner

We're looking forward to using NVM4W at Lombiq really soon!

I'm assuming Lombiq is your company. Companies may be interested in the upcoming Runtime effort I'm working on.

@DevRCRun
Copy link

We had also noted this. Out of interest, are the other names picked up for the nvm.exe file simply a function of it getting extracted by the installer with different temporary names?

is-SSIDO.tmp
is-ORQJV.tmp
is-7OU8O.tmp
is-90S9T.tmp

https://www.virustotal.com/gui/file/ffd8f0c00cbb466a6c2bf3f82ce883e02ee7e769226cc2dab3feca5493e9945e/details

The IP address listed again with only one objection to it from Comodo Valkyrie Verdict appears primarily Microsoft. I'm guessing this could be from where the node versions / shasums are fetched? (sorry not had too much of a chance to dig into the code).

Thanks for the reminder about Runtime, I'll fill that survey out now

@coreybutler
Copy link
Owner

@DevRCRun - honestly, I have no idea what those temp files are.

One thing I did notice is this:

image

It thinks it was compiled with Go 1.15.x when the latest release was compiled with 1.19.0... so something seems off about those temp files. Maybe these tools are pulling an old binary, or maybe the ML complaining of a virus is too sensitive.

The only other thing I can think of are the other base files found at https://github.com/coreybutler/nvm-windows/tree/master/bin... but there are only 4 of those and 5 temp files.

@DevRCRun
Copy link

If I'm interpreting it correctly, it's saying those file names are actually other names it's seen either submitted or in the wild for the same file it's identifying as nvm.exe (i.e. the same hash). If that's the hash as you built it, then as you say DetectItEasy must just be wrong, which does make you wonder what else about the data there could be wrong or jumbled up...

@c33s
Copy link

c33s commented Dec 8, 2022

not sure if we can only blame the hidden windows of the installer here. also nvm-noinstall.zip and nvm.exe trigger a warning.

the issue maybe go itself. see https://go.dev/doc/faq#virus and https://groups.google.com/g/golang-nuts/c/lPwiWYaApSU

@coreybutler
Copy link
Owner

With alternative forms of the binary (i.e. the temp files), it could just be that some of the antivirus tools are picking up the name from a different installer (whose process may be a little different, like renaming files after downloading them). The antivirus could also be picking up filenames prematurely, i.e. performing a scan partially through the installation.

Older versions of Go are sometimes picked up by outdated antivirus platforms. This was prominent in older versions of NVM4W because it was built with older versions of Go. That was 4-5 years ago. At this point, I pretty much chalk it up to the antivirus being incorrect/outdated.

Most of the antivirus failures stem from machine learning (i.e. not verified by a human), which isn't perfect.

Obviously the goal is for NVM4W to pass all antivirus, but some of the vendors really are really just outdated/inaccurate. I think the evidence of this is in the VirusTotal link @DevRCRun posted... because it used to show a problem. Now it shows 100% compliance.

image

Same goes for the link @0liver posted, which now looks like this:

image

@0liver
Copy link
Contributor

0liver commented Dec 8, 2022

I'm happy this is over 😀 Thanks for keeping us in the loop, @coreybutler!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@0liver @c33s @coreybutler @DerBasler @DevRCRun