Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] Check Nim's binaries aren't Virus #17820

Closed
EchoPouet opened this issue Apr 22, 2021 · 50 comments
Closed

[CI] Check Nim's binaries aren't Virus #17820

EchoPouet opened this issue Apr 22, 2021 · 50 comments

Comments

@EchoPouet
Copy link
Contributor

Related to this forum post, it will be cool to use VirusTotal API to check this problem during the RC stage.

@ghost
Copy link

ghost commented Apr 23, 2021

Even if it will be checked - what's the point? It would be really hard to remove detection anyway, the only reliable way is to sign binaries, but that requires getting a paid MS certificate

@EchoPouet
Copy link
Contributor Author

EchoPouet commented Apr 23, 2021

Not only MS has antivirus software but also MacOS and Linux (it's rare but exists) and not everybody dev on Linux.
The community test the RC version to track issues but it is never enough to test everything and especially this error.
This verification can just inform that a number of antivirus will reject/remove binaries and to decide what to do or not before create the release.

Anyway, I hope that Windows Defender or Gatekeeper don't decide to blacklist Nim's binaries.

@nc-x
Copy link
Contributor

nc-x commented Apr 23, 2021

The point is that knowing some antivirus give false positives on the Nim binaries does not help at all to solve this problem.
I have been part of some communities where people had to report false positives for months before the antivirus developers would fix it on their end, but then after some time, for some newer version of the software this issue would occur again, and you would have to go through everything again.
As Yardanico said, the only way to solve this issue to sign the binaries, which is costly, and virus scanning on the CI pipeline does not help at all to solve the issue.

@EchoPouet
Copy link
Contributor Author

Ok, the only solution is to pay a certification company to distribute binaries without antivirus problem.
I find it crazy that you have to pay not to be bothered by antivirus software.

@dom96
Copy link
Contributor

dom96 commented Apr 23, 2021

Surprised everyone is so opposed to this. Having this check made just before release will not solve the problem, but it can at least warn us and if we know we might be able to make a change to avoid the antivirus programs.

@EchoPouet
Copy link
Contributor Author

God bless @dom96, I felt a bit lonely 😄

@SolitudeSF
Copy link
Contributor

AV software is harmful

@ghost
Copy link

ghost commented Apr 23, 2021

@dom96 how can you possibly "make a change"? AVs won't tell you a thing about why they decided that a particular .exe is a virus or not. Are you going to comment random lines of code until the AV doesn't detect it anymore?

No one is "opposed" to the idea of solving the AV problem, but people are not supporting the idea discussed in this issue - even if we know that it is there, there's no way to know why was it detected.

@dom96
Copy link
Contributor

dom96 commented Apr 24, 2021

@dom96 how can you possibly "make a change"? AVs won't tell you a thing about why they decided that a particular .exe is a virus or not. Are you going to comment random lines of code until the AV doesn't detect it anymore?

No, I would run a bisect. This should be especially easy when creating new patch releases since the number of changes is really small. If you find the commit that caused the problem then you have a pretty good chance of mitigating it.

No one is "opposed" to the idea of solving the AV problem, but people are not supporting the idea discussed in this issue - even if we know that it is there, there's no way to know why was it detected.

I never said the downvoters were ""opposed" to the idea of solving the AV problem". Your use of quotes here feels like an implication that I did, so I just want to be clear: I was describing the opposition to the idea in this issue.

But anyway, I don't have super strong feelings here, but I don't think this issue/idea deserves so many downvotes :)

@m33m33
Copy link

m33m33 commented May 1, 2021

Note: it is not only about the compiler's binaries and tools like nimble.

User generated binaries gets flagged too, I tested this.

So it's not a matter of only saving Nim.exe, but producing binaries that don't get immediately deleted or quarantined by the antivirus real time protection.

I assure you in some corporate environnement it triggers a security process that just don't stop with a simple warning. Plus it's a show stopper for the developer.

@m33m33
Copy link

m33m33 commented May 2, 2021

(...) the only reliable way is to sign binaries, but that requires getting a paid MS certificate

Unfortunately, it's not. I've tested that with a "hello world" sniplet and these test cases:

Build with visual studio code 2019 community edition:

  • unsigned flagged by 11 AV on virustotal (including major AV vendors)
  • selfsigned: 7 false positives
  • signed with a fully valid cert from Codegic: gives 5 false positives (with obscure/unknown AV vendors only)

@m33m33
Copy link

m33m33 commented May 2, 2021

It may helps to write down how modern antivirus works, in a simplified form just as a note to help define a strategy here.

Link to antivirus ether pad table (remove /form to edit)

@PMunch
Copy link
Contributor

PMunch commented May 3, 2021

No, I would run a bisect. This should be especially easy when creating new patch releases since the number of changes is really small. If you find the commit that caused the problem then you have a pretty good chance of mitigating it.

Problem with bisect in this case is that it's not necessarily one commit that creates the virus mis-detect. It could very well be that one commit introduces it, then another modifies it so it disappears, and later another re-introduces it which would confuse bisect a lot. Might be worth a try though, but I don't think this would be something we should rely on. But it's worrying though that Nim binaries have now started being flagged by AV software, probably lead by the fact that it has been used quite a bit for writing malware lately.

@dom96
Copy link
Contributor

dom96 commented May 3, 2021

@PMunch yes, there is always that risk. No solution is perfect, although for this case you would have seen this start occurring as soon as gcc was bumped up, so for this instance it would have worked just fine.

In any case, this feels like a technicality to me. The point is: there is something we can do if we detect it early enough.

@m33m33
Copy link

m33m33 commented May 3, 2021

In any case, this feels like a technicality to me. The point is: there is something we can do if we detect it early enough.

The something would be not to push a new release for windows if it get flagged by major av vendors. Hold on the previous version until it is sorted out.

@dom96
Copy link
Contributor

dom96 commented May 3, 2021

@m33m33 sure, that's one option. It would slow us down a lot, but if we can't figure out why av vendors are marking our binary as suspicious then we might want to spend time challenging them.

@m33m33
Copy link

m33m33 commented May 4, 2021

Look at my previous message to get a hint about how binaries get flagged.

If you are willing to spend some time to ask av vendors, challenge them by sending support requests, uploading false positive samples you may be disappointed. I tried that (not for Nim) already, but results may vary I suppose.

Here are the major av vendors currently flagging Nim binaries, and the dedicated contact for such issues :

Sophos
https://support.sophos.com/support/s/filesubmission?language=en_US

Microsoft
https://www.microsoft.com/en-us/wdsi/filesubmission

F-Secure
https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

McAfee:
To: [email protected]
Subject: FALSE: file detected by McAfee.
Email body text:
Could you please check the attached file, as I think it is a false detection. Here are my product details:

Avira:
If you believe that your Avira product is reporting a detection in a file that is most likely "clean", send the relevant file packed (WinZIP, PKZip, Arj, etc.) as an email attachment to the following address:
[email protected]

@Dankr4d
Copy link
Contributor

Dankr4d commented May 4, 2021

Note: it is not only about the compiler's binaries and tools like nimble.

User generated binaries gets flagged too, I tested this.

I'm getting with the latest version of my project (https://github.com/Dankr4d/BF2142Unlocker) also many false positives:
https://www.virustotal.com/gui/file/cd60bcaa9382e669b3e9f08fa05861966a84ba335efca0a8fa2d8982612de61b/detection
Also Windows Defender (Windows 10) removed my binary immediately after I downloaded it.

The false positive is in my launcher which calls execCmd. I replaced the function call with startProcess which solved the issue at first. But this maybe will work only a short time period.

This code caused false positives:

  import os
  import osproc

  setCurrentDir(getCurrentDir() / "bin")
  discard execCmd("cmd /c BF2142Unlocker.exe")

@sigzero
Copy link

sigzero commented May 25, 2021

Downloaded 1.4.8 and Sophos is still flagging nimble.exe as a virus.

sophos flags nimble

@ringabout
Copy link
Member

Compile a random program with latest Nim on windows

import std/[random,sets]

let size = 1000
var vals = newSeq[Rand](size) 
for i in 0..<size: vals[i] = initRand() # only now, check for uniqueness
proc isUnique[T](a: openArray[T]): bool =
  var s: HashSet[T]
  for i in a:
    if i notin s:
      s.incl(i)
    else:
      result = false
      return
  result = true
  
doAssert isUnique(vals)

Reported by kaspersky
vho:Trojan.win32.Pincav.gen

@sdmcallister
Copy link

In my work environment many of the supporting binaries (nimble.exe, nimsuggest, testament, and others) since 1.4.6 have been flagged. I've worked with IT security over the past couple weeks but ultimately things aren't getting resolved. This is basically a deal breaker for me at work anyways.

@EchoPouet
Copy link
Contributor Author

A free signed key service for open-source projects is coming sigstore.

@chenzhekl
Copy link

This is still a thing with Nim 1.4.8 under Windows 11 with the built-in virus protection system. I know this may be related to the increasing malwares written in Nim. But we really need to find a way to work around it.

@sigzero
Copy link

sigzero commented Sep 30, 2021

I just tried the nightly version of 1.5.1 (Windows 64bit). No viruses flagged.

@dom96
Copy link
Contributor

dom96 commented Sep 30, 2021

and yet RC2 gets flagged: https://forum.nim-lang.org/t/8466#54728

@metagn
Copy link
Collaborator

metagn commented Jan 21, 2022

So weird. Nim is the only language I have this issue with. And why is 1.5.1 good but 1.6.0 RC2 bad? Makes no sense.

I'm guessing antiviruses are detecting harmless similarities between malware written in Nim and any Nim program and flagging them. If Nim itself was generating unknowingly malicious code then there would be more detections, but it makes sense if it's based on sample data. It also explains why it's hard for antiviruses to whitelist all Nim programs.

Random compilation options like changing the GC, turning off stacktraces etc. should help for now.

@PMunch
Copy link
Contributor

PMunch commented Jan 22, 2022

Look at my previous message to get a hint about how binaries get flagged.

If you are willing to spend some time to ask av vendors, challenge them by sending support requests, uploading false positive samples you may be disappointed. I tried that (not for Nim) already, but results may vary I suppose.

Here are the major av vendors currently flagging Nim binaries, and the dedicated contact for such issues :

Sophos https://support.sophos.com/support/s/filesubmission?language=en_US

Microsoft https://www.microsoft.com/en-us/wdsi/filesubmission

F-Secure https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

McAfee: To: [email protected] Subject: FALSE: file detected by McAfee. Email body text: Could you please check the attached file, as I think it is a false detection. Here are my product details:

Avira: If you believe that your Avira product is reporting a detection in a file that is most likely "clean", send the relevant file packed (WinZIP, PKZip, Arj, etc.) as an email attachment to the following address: [email protected]

Could the CI be set up to auto-send the binaries to these places? The issue, as far as I understand, is that Nim has gotten some popularity in the malware writing space. This means that anti-virus vendors gets samples from those malwares, and then fingerprints them. Unfortunately they don't have enough non-virus binaries so the fingerprint gets too broad and therefore catches Nim itself as well. If we uploaded the Nim compiler binaries (along with nimble and the other tools) to these vendors then the fingerprint should improve it's specificity and we avoid these false positives.

@sambeckingham-awaze
Copy link

sambeckingham-awaze commented Feb 23, 2022

I'm getting one of these errors also when trying to install stable 1.6.4 via choosenim. It installed devel 1.7.1 fine.

choosenim update stable
   Updating stable
Downloading Nim 1.6.4 from nim-lang.org
[##################################################] 100.0% 0kb/s
 Extracting nim-1.6.4_x64.zip
       Tip: 5 messages have been suppressed, use --verbose to show them.
     Error: Unable to extract. Error was 'cannot open: <redacted>\.choosenim\downloads\nim-1.6.4_x64.zip'.

And I receive this from Windows Defender:
image

If steps can be taken to try and mitigate false positives they're probably worth taking - As people mentioned above if something like that appears on your work PC, depending on your work environment, it can become a huge ordeal.

Also, one day it might not be a false positive and then that would be really unfortunate 😂

@hassandraga
Copy link

Same issue with Chrome 101.0.4951.54 and nim-1.6.6_x64.zip

@quantimnot
Copy link
Contributor

I tried to reproduce the above malware warnings for the download links with Firefox and Chrome on my macOS system, but neither gave me a warning even though I had their malware checking feature enabled.

I tested the downloads from nim-lang.org with Windows Defender in a workflow. Here is the config file for it. It can be easily converted into a workflow that tests the binaries. I'd be happy to make a PR for it if it's desired.

https://github.com/quantimnot/nim_windows_defender/blob/master/.github/workflows/windows_defender.yml

@jonasnordlund
Copy link

jonasnordlund commented Aug 7, 2022

I can’t download the latest version of Nim for Windows (nim-1.6.6_x64.zip) with Microsoft Edge and I’m not sure what to do. :( Edge simply says the zip is infected with a virus. This looks like a very serious problem to me when you can’t download the install with the default browser.

@quantimnot
Copy link
Contributor

@jonasnordlund

That is frustrating.

  1. Are you using any extensions that scan for malware, or is this coming directly from Edge?
  2. Does it give the same message if you turn off 'Microsoft Defender SmartScreen' in the settings?
  3. What OS are you using?

I don't have Windows installed locally. I just now downloaded and installed Edge on my macOS machine, but I get no message when downloading the dist files for Windows (maybe because I'm not using Windows??).

@ringabout
Copy link
Member

ringabout commented Aug 8, 2022

Hello, @quantimnot, thanks to your script, I created https://github.com/nim-lang/virus_checker as a start for checking Nim's binaries in CI. It fetches the latest prebuilt binaries from nightlies and triggers on push and a cron. Are you interested in maintaining it with us?

I think some progressive solutions are needed:

Anyone interested, please help us.

@ringabout
Copy link
Member

ringabout commented Aug 8, 2022

There has been a virus checker here => https://github.com/nim-lang/virus_checker I'm closing this issue. Open an issue there or contribute to it, please.

@quantimnot
Copy link
Contributor

@ringabout Yeah, I'll help maintain it. I'm currently working on a set of composable GitHub actions and malware scanning using a variety of tools is on the list.

@ringabout
Copy link
Member

ringabout commented Aug 8, 2022

@quantimnot Thanks a lot!

Would you mind having access to the repo by the invitation I sent?

@jonasnordlund
Copy link

jonasnordlund commented Aug 8, 2022

@jonasnordlund

That is frustrating.

  1. Are you using any extensions that scan for malware, or is this coming directly from Edge?
  2. Does it give the same message if you turn off 'Microsoft Defender SmartScreen' in the settings?
  3. What OS are you using?

I don’t have Windows installed locally. I just now downloaded and installed Edge on my macOS machine, but I get no message when downloading the dist files for Windows (maybe because I’m not using Windows??).

  1. No, this is Edge’s own system, localized in Swedish here but simply saying “Could not download - Virus detected”. There is no more information upon hovering on the text and I can’t get to any further details by clicking on that item.

image

  1. Unfortunately this didn’t help. I also tried restarting Edge before attempting another download.
  2. Windows 11 Version 22H2 build 22622.450 (Beta Channel)

My last Microsoft Defender definition update is from August 8:
Microsoft Defender Antivirus - KB2267602 (version 1.371.1648.0)

Update: Apparently I could find a little more on this from within Microsoft Defender: it’s detected as virus Program:Win32/Uwamson.A!ml and from within this application, I think I can choose “Allow” and maybe get going unless it detects further binaries as infected. VirusTotal reports the zip as fine across all scanners so the false positive sounds very localized to Microsoft Defender. Unfortunately it’s installed and activated by default on Windows.

Update 2: So this is the same false positive virus as in issue #19340 from January 7, 2022 and in a post from June 2021 in this thread: https://forum.nim-lang.org/t/8008. One will maybe need to get in touch with Microsoft for this one. I can also choose to Allow in Defender and see. Since it’s Defender related, regardless if I use Firefox, Chrome or Edge, it’ll be deleted right away upon download for as long as my antivirus is enabled.

@ringabout
Copy link
Member

update:

check https://github.com/nim-lang/virus_checker

It supports

  • scan nightlies release using windows defender
  • upload nightlies release to virusTotal

@ringabout
Copy link
Member

ringabout commented Aug 10, 2022

Anyway the Nim team has done its best, the blame is all on the antivirus vendors.

@enthus1ast
Copy link
Contributor

Maybe, the ci could also report the new releases to anti virus vendors that flagged the release, automatically.

@jonasnordlund
Copy link

I’m aware this bug is closed but just reporting in that this zip could be downloaded here now! 🎉

And all exe files within seems to be fine as Defender ought to have scanned them all during extraction.

@dom96
Copy link
Contributor

dom96 commented Aug 13, 2022

Which zip? Did it used to get flagged or is it a new zip? Sometimes new zips take a while before defender decides to flag them.

@jonasnordlund
Copy link

Which zip? Did it used to get flagged or is it a new zip? Sometimes new zips take a while before defender decides to flag them.

The zip here: #17820 (comment)

It didn’t work between six days ago or earlier and yesterday. Unless the Nim team replaced the zip with a new one despite the same version of Nim, the AV definition must have been updated on my side.

@the-real-grinny
Copy link

I can verify this is still an issue on Nim 1.6.10 binaries, on the 22621.1105 Build of Windows 11.

Zip file gets autoblocked by Windows Defender and makes a note in the Security page.

Still shows up as Trojan:AndroidOS/Multiverze .

The SHA256 of the ZIP I'm using is 826ca93a6ec7270c0d5395723b0e1e213d0286feecea5be6bd5bb8362ff4866f

@ringabout
Copy link
Member

Use 2.0rc for testing purpose please.

@blueglyph
Copy link

blueglyph commented Feb 18, 2023

I can't seem to be able to install Nim 1.6.10 binaries either.
Windows 10 Home Edition, version 21H2, default Microsoft Defender

I haven't found any 2.0rc binary for Windows, where should I look?

I have tried with nim-1.9.1-windows_x64.zip, but it's the same outcome (it's branch 2-0 but the version seems to be 1.9?).
I have tried with the latest build (branch devel), windows_x64.zip, but it's the same outcome.

This seems to solve the issue, at least temporarily:

  • open Windows Security
  • Settings (bottom right corner)
  • Protection history
  • open the relevant threat item (confirm admin access if necessary)
  • Action / Restore
  • check the SHA256 after the file is restored or downloaded again

I could then unzip the archive and strangely, if I scan the archive or the unziped content, I get "0 threats found". Downloading again the other versions was not a problem anymore.

I reported that to MS but I doubt I'll ever get any feedback.

@mratsim
Copy link
Collaborator

mratsim commented Jun 2, 2023

Adding this here because finding related fix to virus scanner is hard.

Nimble using an old download API: #19767

@Toma400
Copy link

Toma400 commented Aug 11, 2023

Weirdly, I haven't had any of those issues until today, when I tried to make very simple file copier.. and it works fine when I build binary with CLI, but trying to get it automatic/temp-binary-only via PyCharm action is unfortunately marking this software as trojan.
Using 1.6.12 / Windows 10 on my case, and it's Windows Defender giving me false positives (or at least I hope so).

@tinygiant98
Copy link

tinygiant98 commented Jan 2, 2024

Got this installation blocker when trying to install 2.0.2. Flagged files were nimgrab.exe for Trojan:Win32/Wacatac.B!ml, finish.exe for Program:Win32/Wacapew.C!ml and nim-2.0.2_x64.zip_temp for Trojan:Script/Wacatac.B!ml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests