Change flawed virus scanner package scanning process
Opened this issue · 0 comments
Checklist
- I have verified this is the correct repository for opening this issue.
- I have verified no other issues exist related to my request.
Is Your Feature Request Related To A Problem? Please describe.
Instead of just using VirusTotal, we can use other more well maintained scanners first, and VirusTotal as an additional heuristic. ClamAV being a really good free option could be used. Since you likely have access to Windows machines, Windows Defender could also be utilized. Perhaps throw Avast into the mix just for good measure. Then if one of these checks fails, maybe scan with VirusTotal before notifying the maintainer.
Describe The Solution. Why is it needed?
Right now, VirusTotal has way too many bad scanners that'll just mark anything as a virus. Gather enough of these scanners, and you can generate enough false positives to cause a perfectly fine package to get stopped from being approved.
If a package is getting caught by ClamAV check, and many VirusTotal detections, then it needs manual intervention. The package at this point should be changed, or a notice could be AUTOMATICALLY placed on the package for users to see. Only Reject packages when a human has personally investigated and found a issue.
Additional Context
Personally, for me, I won't be adhering to any such related requirements or exceptions anymore, and, henceforth, will be removing any notice or mention of scanners in all of my packages description. Even if this means my packages won't be accepted or approved, then so be it. I have to draw my line in the sand, and take a stand somehow, so this is my statement pushing back against this.
This entire process is flawed from the top down, and I'm going to go into detail why.
Thought about this for awhile, and could never really grasp why this is an issue I deal with more often than not. I understand why it needs to be done, but I should never have to deal with this unless there is ABSOLUTELY a problem, and so far it's been a 100% false positive rate. I chalk this up to VirusTotal just throwing in a bunch of garbage scanners because they were offered to them for free.
I think it's also worth examining what type of attacks this would ACTUALLY prevent. If my account was taken over by a hostile third-party, and uploaded a bad package on my behalf, then it might, catch it. But anyone smart enough to do this, would probably also take steps to evade getting caught by a scanner regardless (since you can just use VirusTotal yourself, you can just modify your malicious program until it undetectable!). The only other case I can think of is that the source that I'm pulling my binaries from is compromised, and this would possibly catch it as well.
Keep in mind, I do entirely understand why this necessary, supply chain attacks will likely only increase in the coming years. But you're also just unnecessarily pushing the earnest on maintainers that likely have nothing to do with it in the first place. I can't answer why this binary has 11/60 detections. Maybe it was compressed weirdly (UPX tends to do this), maybe it was packed with something like Python (a lot of scanners like to raise red flags when they see this!).
I know it might be too difficult use Windows Sandbox, VirtualBox, an air-gapped machine, or any number of other virtualization tools to determine whether a package is malicious or not, but I don't have all the answers. Also, if you can't bother to check yourself, then don't go asking me if you're also not willing to even see for yourself. Another thing, not all malicious programs are surface level. Sometimes you'd have to dig deeper to find out if something is actually doing anything malicious, and even then you might have to find some way to trigger it.
While we're at it, let's take a look at other package managers and see if they have a similar process. Arch Linux User Repository, Homebrew, AppGet, and Scoop, all do not have any process related to this at all. Which means they put the earnest on the package approval process, and users determining whether a package is "real" or "fake". WinGet is the only other package manager I could find that does this, and as far as I'm aware, they just scan the downloaded artifact with Windows Defender.
These are not necessary checks for a maintainer, these are helpful messages for users at best, and we should treat it that way. Users need to use common sense, and exercise caution when installing a program from a COMMUNITY repository anyway. Stop acting like these tools absolutely will catch 100% all bad behavior, and when it doesn't, maintainers have to go out of their way to point out that the program is safe. Users have to take responsibility for their own machine, because when a malicious program inevitably does get uploaded to Chocolatey, and it inevitably slips by ALL THE SCANNERS, none of these checks are going to save you from getting blamed for someone's machine getting compromised anyway.
Personally, I just can't do it anymore. I'm not saying that adding a notice is hard, or that point it out is an issue. It's just that I'd rather do this when it's absolutely necessary, and not just because some machine saw a pattern that matches other patterns it knows of, so it must be a virus!!!
Again, I'm not saying we should get rid of these checks entirely, but stop front-loading this work onto maintainers, because I'm not doing it anymore. I'm open to explanations, or additional reasoning on "Why this is a package maintainer's problem to deal with", and not a "Users need to exercise caution when downloading software."
Related Issues
No response