ttionya/vaultwarden-backup

Backup detected as trojan

SpecialAro opened this issue · 3 comments

Hello,

I just found out about this project and decided to give it a try.

With the available docker-compose I just ran a simple try-out to my google drive but, as soon as I tried to download the file, Windows Defender flagged the file as a trojan.

Just to make sure this was not something on my end, I spined up a new virtual machine in my proxmox setup and tried again - it got flagged as well.

Here are the virus total scans:
https://www.virustotal.com/gui/url/d50bd452a48a43bb8a7d89ac8d8bc1092239672997375b571aeb8c58f294b4f5/detection

Now, I'm not entirely sure if this was caused by this project or by rclone (it is not the first time they get flagged as trojan/virus - but that was on their own .exe), so I'm just posting this here so someone can check this repository.

If it turns out this is something on my end (highly doubt it because, as I said, I tested this in two different setups) I sincerely apologize in advance.

Thank you very much!

Thank you for your feedback, I take security issues very seriously.

I attempted to download the backup file you provided, and Windows Defender also reported it as containing a trojan. However, the zip file only contains a few encrypted tar files and a sqlite3 file, with no executable files present. I'm not sure why it would be flagged as containing a trojan.

You mentioned being able to consistently obtain backup files flagged as trojans on multiple machines. I tried the same on my end without changing any environment variables and without logging into Vaultwarden. After performing the backup and downloading the file, indeed, it was also flagged as a trojan file. I downloaded the file and uploaded it via file upload, and it wasn't detected as a trojan on VirusTotal, which can be confirmed by comparing the body SHA-256 (url, by upload). Therefore, I believe this is a false positive, as I have been using this tool backup files for several years without encountering this issue.

Of course, I welcome code reviews of this tool, it is written in Shell and does not contain any remotely loaded content.

Hello @ttionya, thank you so much for your reply!

I've reviewed the code myself and, indeed, I haven't found any remote loaded content as you stated.

After some more tests I can confirm that this is a false positive for sure. I've done the same test as you and also made sure that the file that is uploaded to the drive is the same that is in the container -> both fingerprints check out.

Thank you very much for your attention regarding this and, of course, thank you for building this tool that will (absolutely) be important to backup my Vaultwarden vaut! 😄

Thank you for your testing and code review.