Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirusTotal flagging latest darwin-arm64 binary as malware #1977

Closed
tedsilb opened this issue Sep 26, 2023 · 9 comments
Closed

VirusTotal flagging latest darwin-arm64 binary as malware #1977

tedsilb opened this issue Sep 26, 2023 · 9 comments
Assignees
@enocom
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@tedsilb
Copy link

tedsilb commented Sep 26, 2023

Bug Description

Hi, just flagging that VirusTotal detects the latest darwin-arm64 binary
(hash 9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639) as containing malware (Google: Ikarus - Trojan.OSX.Psw). I reanalyzed on VirusTotal and it produced the same finding.

VirusTotal link: https://www.virustotal.com/gui/file/9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639/detection/f-9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639-1695370063

Example code (or command)

No response

Stacktrace

No response

Steps to reproduce?

scan with virustotal

Environment

darwin-arm64

Additional Details

No response
@tedsilb tedsilb added the type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. label Sep 26, 2023
@enocom enocom added the priority: p0 Highest priority. Critical issue. P0 implies highest priority. label Sep 26, 2023
@enocom
Copy link
Member

enocom commented Sep 26, 2023

Thanks @tedsilb. I'll investigate and respond here.

@enocom enocom added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. and removed priority: p0 Highest priority. Critical issue. P0 implies highest priority. labels Sep 26, 2023
@enocom
Copy link
Member

enocom commented Sep 26, 2023

Bumping this down as it appears to be a false positive. Investigating further.

@enocom enocom added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Sep 26, 2023
@enocom
Copy link
Member

enocom commented Sep 26, 2023

This is definitely a false positive, but it's still concerning that it's happening.

@enocom
Copy link
Member

enocom commented Sep 26, 2023

Possibly related to containers/podman-desktop#3861.

@enocom
Copy link
Member

enocom commented Sep 26, 2023

Just to be clear:

  1. All our builds are completed on Cloud Build using latest Go and source only. There are no binaries included in our build.
  2. We run govulncheck against every commit.
  3. We use container scanning for every release.

Our latest release has no reported vulnerabilities by govulncheck or in our default image (based on distroless). It's not clear what's getting flagged in VirusTotal, but we have reason to believe this is a false positive.

@enocom
Copy link
Member

enocom commented Sep 26, 2023

And to add on, clamav does not report these problems in either of the Darwin binaries.

@enocom
Copy link
Member

enocom commented Sep 26, 2023
edited
Loading

I suspect we might be getting flagged because we don't notarize the binary with Apple. This might be a duplicate in effect of #1712.

@hessjcg
Copy link
Collaborator

hessjcg commented Sep 26, 2023

In reading the VirusTotal behavior report carefully for the amd64 binary, the virus total test result shows our binary attempting to access /etc/master.passwd and the wifi settings.

Of course, I tried to reproduce this behavior and could not because our binary does not actually do these things.

The virustotal scan details Shows that the various sensitive files like /etc/master.passwd and /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist were opened by macosx components. They weren't opened by our process.

We are investigating how to reach VirusTotal to verify that this is a false positive result.

@enocom
Copy link
Member

enocom commented Sep 27, 2023

Confirmed. This was a false positive across a few security scanners.

https://www.virustotal.com/gui/file/04cea1a08be2bbbe8bd07e2b2e5430f88d627aa1839fdc8efd2092dd89c6f8de/

@enocom enocom closed this as completed Sep 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enocom enocom

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@enocom @tedsilb @hessjcg