Trojan Detected

Question

Trojan Detected

Thesupergrass opened this issue 4 years ago · 8 comments

This is what I got when I ran the installer. Good thing i'm not an idiot & I ran it in a virtual which I deleted immediately.

Answer 1 · 2020-02-09T06:05:36.000Z

That was a false positive. The Tunic source code is verifiably not malware.

I did some testing with virustotal.com, and I believe the PS2EXE tool I use from Microsoft's NuGet repo is being falsely detected as malware. I use it to package tunic.ps1 as an executable. I suppose it's possible PS2EXE contains malware, but that would be very surprising given its wide use. I will quickly change how I package tunic to avoid this false detection.

You can verify Tunic isn't malware by downloading source and scanning tunic.ps1 and files directory.

I put a lot of effort into this as a service to the community. This sucks.

Further verificication

It's straightforward, but time consuming, to verify nothing bad is happening, although you'd need to understand powershell well. Some of these steps require a Windows 10 VM.

Look at the source and see what it does and see that it's safe. Only tunic.ps1 and file/* are packaged into tunic.exe. tunic.ps1 is where all the logic is.
Install 7zip https://www.7-zip.org/download.html
In powershell, download tunic.exe, extract files, and run dir. (The .exe is a self extracting .7z file.)

$url='https://github.com/mikeslattery/tunic/releases/download/0.2.1/tunic.exe'
(New-Object System.Net.WebClient).DownloadFile($url, 'tunic.exe')
7z x tunic.exe
dir

Will return something like this. You can compare the extracted files with the files on github to see they weren't tampered with.

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/8/2020   8:37 PM                files
------         2/6/2020   7:50 PM          41111 tunic.ps1
------         2/6/2020   8:02 PM         139264 tunic-script.exe

PS2EXE was used to create tunic-script.exe from tunic.ps1. Let's reverse it and verify.

.\tunic-script -extract tunic2.ps1
cmd /c fc tunic.ps1 tunic.ps2

The diff output verifies they are identical (except for some whitespace at the end of the files) and so tunic-script.exe wasn't tampered with.

Comparing files .\tunic.ps1 and .\tunic2.ps1
***** .\tunic.ps1

***** .\tunic2.ps1
*****

Or to to further check, let's rebuild tunic-script.exe:

install-packageprovider -name nuget -force
Install-Module -force -confirm:$false ps2exe
iinvoke-ps2exe -inputfile tunic.ps1 -outputfile tunic-script2.exe -title Tunic -credentialsGui -requireadmin -noconsole -nooutput -noerror
dir tunic-script*

The dir will return something like this. Notice the identical size of tunic-script.exe and tunic-script2.exe (but this verification could fail if the p2exe download differs from the one I'm using).

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
------         2/6/2020   8:02 PM         139264 tunic-script.exe
------         2/8/2020   8:42 PM         139264 tunic-script2.exe

Even given all that, I will need to put a disclaimer in the readme that programs like tunic, that modify your bootloader, often get falsely detected. That likely wasn't the case here, but it may be in the future.

Answer 2 · 2020-02-09T14:53:54.000Z

Thanks for the response, I just tried again to follow your steps & I've updated a fresh Win 10 install, this is the 1st exe I've attempted on this install & I can't even run it as it is immediately deleted due to virus detection.. This is less that I was able to do previously as it at least told me what virus it was and asked what I wanted to do (Remove, Quarantine etc).. Watch my screen recording..

https://gofile.io/?c=sKtbCX

Answer 3 · 2020-02-09T16:07:36.000Z

Tried saving the file instead, same thing, instantly deleted due to virus.. Nobody in their right mind is going to disable their virus protection in order to install a program.. I think you have a roadblock on your hands.

Answer 4 · 2020-02-09T16:39:17.000Z

One more thing I remembered.. The 1st time yesterday where I got to remove the virus & keep Tunic installed, when I opened it, it had nothing in the dropdown for distros, the dropdown was completely empty.

Answer 5 · 2020-02-09T23:15:38.000Z

Please check again with latest release. I'm only about 50% sure this will fix your particular issue.
https://github.com/mikeslattery/tunic/releases/tag/0.2.2

Answer 6 · 2020-02-09T23:52:11.000Z

I made significant change to how Tunic is packaged. I'm now using NSIS. See tunic.nsi and build.ps1 in the develop branch.
This means that ps2exe and 7zip's auto-expander are now no longer part of tunic.exe. These are tools often used by "script kiddies" which is probably why it was flagged.

Answer 7 · 2020-02-10T16:57:08.000Z

Downloaded without issue, no windows defender instant removal.. Just the regular protection due to unknown app & publisher which is normal..

Ill leave it at that till I get the chance to test your program out later tonight. Thanks for the swift solving of the issue.

Answer 8 · 2020-02-10T20:49:46.000Z

Nice! Thank you for the repeated testing. I'll closet this ticket.
Feel free to ask me to re-open it if you (or anyone else) think this is still an issue.