Flagged by windows 10 as trojan.
Suresh-Subedi opened this issue · 6 comments
VirusTotal lists just 3 engines detecting it as malicious.
If I recompile it myself then it drops Cybereason and McAfee, but triggers Cynet instead. Most likely just false positive.
Thanks for the report and thanks @Xeevis for looking into it already, though you scanned the 64bit executable whereas this issue is about the 32bit executable.
I'm basically here to report what Xeevis said though.
I don't know why it's triggering as a trojan under Windows defender (or as a trojan on any of the virus total scanners). These are false-positives. My best guess is some AV heuristic flagging some of the stuff I do with pipes and win32 security API, I don't know for certain though.
Here's the virus total scan of the 32bit v1.1 executable downloaded today from the release page. You can confirm that the exe you have, and the one this website scanned are the same by running sha256sum winssh-pageant.exe the output should be 0ae3f79..., which can be compared against the hash in the virustotal page.
And here's a scan of the same v1.1 32bit program, but built at a different time.
The large discrepancy between amount of threats found on what amounts to a nearly identical executable is evidence that these indeed are false positives. Further evidence of false positives IMO is that the 64bit executable from the same v1.1 release has only two false positives. FWIW I didn't actually expect many users of the 32bit version, and don't use it myself.
That all being said, if you are still concerned about these AV reports, compiling the software yourself is very easy with instructions included in the README, as well as a more in-depth build.ps1
@ndbeals Thanks for your response and a great tool! It might be worth noting that wsl-ssh-pageant has this exact same issue.
benpye/wsl-ssh-pageant#38
On the side note, it might be beneficial to support reproducible builds so hashes don't change when compiled from same source so build artifacts are verifiable to be coming from given source. To my understanding this should be possible with the -trimpath?
Thanks for that link, I'm looking into reproducible builds as well.
v1.2 has some false positives on VT too, i voted for it and commented links to this issue and the Golang FAQ.
- could this issue be re-opened as it is in fact still a issue that people should find easily?
- i recommend commenting on future VT detections, so people can easily see that these are false positives.
v1.2 is identical to v1.1, just built as a reproducible build. Could you link where you voted for it and commented the links? thanks.
There's a section in the readme regarding AV false positives (https://github.com/ndbeals/winssh-pageant#antivirus-flagging) that links to this issue as well, so I'm going to leave this closed because IMO, this is resolved.
People are welcome to open new issues to report AV false positives, but I'm not interested in keeping up with the cat-and-mouse game that are AV flags/false positives.