Detected as a virus in sandboxes

[sais-github]

Ran the file through virustotal and had what seemed to be false-positives or heuristic detection so i ran it through sandboxes and both came back positive, but I'm no expert so they may just be necessary to build the application
https://www.hybrid-analysis.com/sample/54c633e07a285ef07fe4b68fb318738bdc84df36ea406cb0c454468958d92b5b/65c279928a733702df0f0d9b
https://metadefender.opswat.com/results/file/bzI0MDIxMXgxNHU5cDZpN0VMU2g3bURLTGRw/regular/sandbox/summary

[josStorer]

This program may have several features that could potentially be flagged as a virus:

1. It uses UPX compression and has a shell. Many viruses have a shell, but RWKV-Runner uses UPX provide a smaller program size and to make downloading and updating the program faster.

2. The program embeds some scripts and binary files, which are released during program execution. This behavior might be considered virus-like. RWKV-Runner contains components developed in multiple programming languages and uses Go as glue to combine them. It invokes multiple processes as needed at runtime. Additionally, to facilitate easy updates of Python backend scripts along with the program, they are also packed into binary files. Furthermore, because Go is convenient for developing lightweight executables and has a rich toolkit, many people use Go to develop destructive programs, which may lead to programs developed in Go being more prone to being misreported as viruses.

3. RWKV-Runner can silently self-update, which means if i want, it theoretically poses a risk of executing remote malicious code. However, in practice, updates are only executed when the user actively clicks the update button. All operations performed by the program by default occur within the program's directory, and there are no cross-directory operations. The source code and compilation process of this program are publicly available on GitHub. You can find the compilation workflow file at this link: https://github.com/josStorer/RWKV-Runner/blob/master/.github/workflows/release.yml and the compilation logs at this link: https://github.com/josStorer/RWKV-Runner/actions.

In general, considering the above information, it's normal for this program to be falsely flagged as a virus. And as a non-profit project, without any income to support purchasing a certificate for trust establishment, I can only inform users that the code is fully open-source, you are free to review it, and Windows Defender scanning confirms that this program is not a virus. Additionally, the files uploaded to GitHub Release are generated by GitHub Workflow in the cloud.

[sais-github]

Thank you for such a detailed response! I need to learn to understand what all the av "signatures" mean so i can make decisions.
plus certificates should be free, especially when the company demanding them is worth so much

[josStorer]

Actually, I'm also quite confused about the certificate issue. Considering that Microsoft has acquired GitHub, I think some well-known GitHub repos, which use GitHub workflow to build programs, should receive certificates automatically signed by Microsoft.

However, the reality is that currently, developers have to bear this cost themselves. This is also why there are many open-source programs on GitHub that, when downloaded, are flagged as risky and require confirmation. You can find similar discussions on some developer forums like Stack Overflow: https://stackoverflow.com/questions/77332719/how-do-i-get-a-valid-microsoft-store-code-signing-certificate. It's widely acknowledged that purchasing a certificate is necessary. Here's a certificate supplier website for reference: https://signmycode.com/authenticode-signing. In fact, many businesses rely on selling or acting as agents for certificates as their main source of profit.