hillu/local-log4j-vuln-scanner

Virustotal 17 security vendors and 1 sandbox flagged this file as malicious

askvpb opened this issue Β· 18 comments

askvpb commented

Virustotal indicated the .exe file 17 security vendors and 1 sandbox flagged this file as malicious. Is this false positive?
https://www.virustotal.com/gui/file/9475f529d96d306d52d050cf816712894fc082da863b733cae22f9dbd3b433bd

hasturo commented

I guess it is because it opens and depack files and compare the result to a List of File Hashes.

  • πŸ‘3
hillu commented

I guess it is because it opens and depack files and compare the result to a List of File Hashes.

Actually no. Even after stripping the binary down to

package main

import (
	"fmt"
	"os"
)

func main() {
	if len(os.Args) < 2 {
		fmt.Printf("Usage: %s [ paths ... ]\n", os.Args[0])
		os.Exit(1)
	}
}

it still gets flagged by multiple engines, including Microsoft's.

This is beyond embarrassing for the AV industry.

  • πŸ‘5
  • πŸ˜„39
  • πŸŽ‰12
  • πŸ˜•6
askvpb commented

I guess it is because it opens and depack files and compare the result to a List of File Hashes.

Actually no. Even after stripping the binary down to

package main

import (
	"fmt"
	"os"
)

func main() {
	if len(os.Args) < 2 {
		fmt.Printf("Usage: %s [ paths ... ]\n", os.Args[0])
		os.Exit(1)
	}
}

it still gets flagged by multiple engines, including Microsoft's.

This is beyond embarrassing for the AV industry.

Looks like move AV vendors are reporting the exe files as malware. Cannot use the script on the server with AV installed, unless doing some tampering with configurations. Would appreciate if this can be reported as a false positive?

hillu commented

Cannot use the script on the server with AV installed, unless doing some tampering with configurations. Would appreciate if this can be reported as a false positive?

Tell me where to report it and I'll try when I find time.

  • πŸ‘1
hillu commented

@simonai1254 Thank you.

askvpb commented

@simonai1254 Thank you.

Thanks you for looking ino this matter. Much appreciated.

massmy commented

Out of curiosity, did you try to strip the debug info with -ldflags '-s -w' and run the malware scan?

  • πŸš€1
hillu commented

Out of curiosity, did you try to strip the debug info with -ldflags '-s -w' and run the malware scan?

Yes. This did not help.

I have decided for myself that life is too short to try finding workarounds to black box "security" buzzword products. (That time is better spent ranting about the sorry state of our industry.)

  • πŸ‘20
  • πŸ˜„13
cybgit commented

Has anyone submitted this to vendors so they dont detect as a virus? I've recommended this tool be used internally and whilst some of the detections may be obscure, there are some big hitters detecting it there - cylance, cyberreason, palo alto.

simonai1254 commented

I did nothing, only search for the places where you may put the sample in.

I have decided for myself that life is too short to try finding workarounds to black box "security" buzzword products. (That time is better spent ranting about the sorry state of our industry.)

I understand that completely, thanks anyways for your effort you put in so far!

  • πŸ‘1
Neo23x0 commented

The file is too small. Append 10MB of binary zeros to the end of the binary to avoid these detections.

PS: I'm not sure if I'm kidding.

  • πŸ‘5
  • πŸ˜„20
  • πŸ‘€5
cfrietschy commented

Has anyone submitted this to vendors so they dont detect as a virus? I've recommended this tool be used internally and whilst some of the detections may be obscure, there are some big hitters detecting it there - cylance, cyberreason, palo alto.

We have reported this project and its binaries to ESET, TrendMicro and Talos Intelligence (Cisco) with a request to stop reporting the files as malware. We are currently waiting for official feedback.

  • πŸ˜„1
  • ❀️8
hreese commented

I've hat the same problem with most of my golang binaries. FYI: packing binaries with upx usually increases the false positives.

I've upvoted (aka β€œincreased the community score”) on VirusTotal. It may have a positive effect if enough people do it; I believe that antivirus software vendors get access to VTs data.

AnomalRoil commented

We had once a similar issue where ClamAv was flagging Gopass because of the IPstorm malware which is in Go and whose detection rules are terrible:
gopasspw/gopass#1807 (comment)

simonai1254 commented

VirusTotal results are getting better...

Firminator commented

Yeah it's down to 6 now (just had it rescan).

hillu commented

Two remaining matches as of v0.10. Apparently, some people reporting to vendors did help some.