Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security products flags installer as malware (v0.30) #2359

Closed
dr4lekhine opened this issue May 22, 2022 · 6 comments · Fixed by #2858
Closed

Security products flags installer as malware (v0.30) #2359

dr4lekhine opened this issue May 22, 2022 · 6 comments · Fixed by #2858
Labels
bug Something isn't working community duplicate This issue or pull request already exists

Comments

@dr4lekhine
Copy link

Hello,

Are you noticed that the last build (0.30) is flagged as malware by several security/AV products:

0.30 (Windows):
https://www.virustotal.com/gui/file/33e86bbf67936459a50b3cc1713254b6a4cf817ab46b07d49ffe7658edb84349/details (6/63)

image

In general, earlier builds seems to not:
0.29 (Windows): https://www.virustotal.com/gui/file/5208435e4b886e4a2b84eece27e0436948281647d5a0b8b4937756d97be812ee/detection (0/61)
0.28 (Windows): https://www.virustotal.com/gui/file/363fe8954edb1e826d2932d779973293479274a813fd7b5c0dfb67f8732ca9fd/detection (1/61)

Regards.

@dr4lekhine dr4lekhine added the bug Something isn't working label May 22, 2022
@dr4lekhine dr4lekhine changed the title Security products flag installer as malware (v0.30) Security products flags installer as malware (v0.30) May 22, 2022
@philrz
Copy link
Contributor

philrz commented May 22, 2022

Hrm. Indeed, I saw Avast on the list of engines that flagged it and I happen to run Avast on my Windows system, so I reproduced the problem successfully.

image

I'm not great at interpreting the output of these VirusTotal summaries to understand what about the executable was the cause for concern. For instance, some older versions of Brim were also flagged due to one particular utility that's bundled with the app, but in that case the detail in VirusTotal was sufficient to unpack the problem and write up the details at https://github.com/brimdata/brim/wiki/Troubleshooting#my-antivirus-software-has-flagged-brim-as-potentially-malicious that show why it's almost certainly a false positive. For this one, I'm not sure how one would proceed.

@philrz
Copy link
Contributor

philrz commented May 22, 2022

I just went ahead and submitted it at https://www.avast.com/false-positive-file-form.php to see if the Avast people might come back with anything more specific to say.

@jameskerr
Copy link
Member

Dang, this sucks. It's probably, as usual, our bundled zeek and suricata binaries. We updated electron in this release, so that might be reason for the difference since the last release.

@philrz
Copy link
Contributor

philrz commented May 24, 2022

I did get the following reply from Avast:


Greetings,

Thank you for contacting Avast with your concerns.

Our virus specialists have been working on this problem and detection on this file has been changed to PUP - potentially unwanted.

For future reference you might also find the following articles to be useful:

Ondřej

Avast Customer Care Team


It sure would have been great if they could flag the specific items in their checklists where they believe the app is still in violation, rather than leaving it to us to guess which one(s). I'll reply and ask if they'd be so kind. In the meantime, looking over the list myself, I can see some possible culprits including:

  • Should the software functionality be more clearly described during the installation process?
  • Should there be more explicit mention of Zed, Zeek, Suricata, and Suricata Update as bundled components?
  • I couldn't find any links during installation or in the app to the Privacy Policy even though one exists at https://www.brimdata.io/terms/privacy/
  • I don't know anything about "vendor identifiers", but their point about how this must apply to "every executable" makes me wonder all the ones that are shipped get that treatment
  • I'm not sure if their text "Each program must be offered on its own offer/install screen" implies that there'd need to be separate install steps specifically covering the Zeek/Suricata parts, but when I think about it, indeed, other common tools do this (e.g., Wireshark having npcap as a separate install step)

I'd recommend doing your own read through their lists, as I may be overlooking others that apply. These might be worth addressing regardless since their presence in these lists seem to imply they're a reflection of current good app hygiene.

I'll update with anything further I hear back from Avast.

@philrz
Copy link
Contributor

philrz commented May 30, 2022

Alas, when I replied and asked Avast to point to Brim's specific violations from their checklist, they did not provide. Their message:


Hello Phil,

Thank you for your reply.

Once the violations of clean guidelines are fixed on the side of the developers they may contact us directly to check it for them again.

Best Regards

Ondřej

Avast Customer Care Team


Therefore, it sounds like the best that could be done is to address as many things from their checklist as possible and then ask again, as they say.

@philrz philrz linked a pull request Oct 26, 2023 that will close this issue
@philrz
Copy link
Contributor

philrz commented Oct 26, 2023

#2857 tracked a more recent flagging of the Zui installer as malware, and we addressed that with the changes in the linked PR #2858. As discussed in the closing remarks of #2857, the VirusTotal report for the Zui v1.3.1 Windows installer shows "green" status for all the vendors. Therefore I'm closing this issue as a duplicate of #2857.

@philrz philrz closed this as completed Oct 26, 2023
@philrz philrz added duplicate This issue or pull request already exists community labels Oct 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working community duplicate This issue or pull request already exists
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants