At least one of the executable files is sometimes flagged as malicious
Closed this issue · 12 comments
After running GoReleaser to build the executable files and upload them for release v0.0.5, I downloaded email-linter_Windows_x86_64.zip, unzipped it, and tried to run it. I got a Windows Defender SmartScreen warning, so I clicked "More info" and then "Run anyway". The application worked perfectly, but immediately afterwards, Windows Defender said it had detected a threat and quarantined the executable.
I restored the file from quarantine and uploaded it to VirusTotal. 4 out of 69 security vendors flagged it as malicious. Here are the scan results.
The SmartScreen warning didn't surprise me at all. That seems to show up for every new application that hasn't gone through an expensive process of getting a license from Microsoft. I plan on submitting the application to Microsoft's malware analysis site as "incorrectly detected as malware/malicious" to try to prevent the SmartScreen warning.
However, I've never seen Defender or other security vendors on VirusTotal be sure my software was malicious before. Hopefully Microsoft's malware analysis site will at least bring the 4 down to a 3. I will look into this topic more; maybe there is something not super expensive I can do that would make my software look more like what it is.
I uploaded to VirusTotal the executable that was built locally and had never been downloaded from the web. This is the executable I have been running without any issues or warnings while developing. Two of the security vendors on VirusTotal flagged the app as malicious: Bkav Pro and Jiangmin. Here are the details of the scan.
Microsoft Security Intelligence responded to my submission to their malware analysis site:
Analyst comments:
The warning you experienced indicates that submitted file(s) did not have dedicated determination in our system. We can confirm that the files submitted are now determined as clean and attempting to download or run the application should no longer show any warnings.
Due to the complexity of our backend systems, it may take up to 12 hours for the determination to be fully reflected and for the SmartScreen warnings to stop.
Success! I downloaded a new copy of email-linter_Windows_x86_64.zip (v0.0.5 as before), unzipped it, ran it, and didn't get any security warnings. Then I checked the app's status on VirusTotal and sure enough, Microsoft no longer flags the app as malicious (however, the other three that did before still do). I haven't yet looked into whether this progress will somehow also apply to future versions of the app.
A pleasant surprise. I released email-linter v0.0.6, downloaded from GitHub the v0.0.6 copy of email-linter_Windows_x86_64.zip, unzipped it, ran it, and still didn't get any security warnings even though it's a different binary than before.
I uploaded this file to VirusTotal and only two security vendors flagged the file as malicious: CrowdStrike Falcon and Jiangmin. You can see the scan results at VirusTotal and in the screenshot below.
Edit: CrowdStrike Falcon no longer says the file is malicious.
I went through all the same steps as in the previous post including downloading and running it locally, but this time with email-linter_Windows_i386.zip
(v0.0.6). Almost all results were the same except one less of the security vendors on VirusTotal thinks it's malicious. Here are the scan results.
I cannot run email-linter_Windows_arm64.zip
locally.
(I haven't yet learned how to put my name as the publisher there.)
However, none of the security vendors on VirusTotal flagged the executable as malicious. (Scan results.)
Since email-linter is more of a proof-of-concept for something email service providers could be doing to improve security, going through the signing process does not seem worth the time and effort it would take, even if I only self-sign. Completely fixing what's covered in this issue would probably require signing not just the checksum file, but the binaries themselves, which is apparently very complicated to set up. I might change my mind about this in the future though, and I'm open to discussion about this.
I'll close this issue for now, but if anyone can't run email-linter because of their antivirus, please let me know! Maybe I could resubmit to Microsoft's malware analysis site or submit to some other similar site to fix it.