-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Executables from k3s maybe be incorrectly flagged as malware #9738
Comments
These packages are sourced from |
Thank you for the hint. I have tried to build my own binaries with this repo, but the resulting ipset< binary has the exact same SHA hash. k3s-root seems to use https://github.com/buildroot/buildroot to build the required binaries. |
This is a false positive, for some reason it happens sometimes on the ML-driven VirusTotal scanners. We will ensure they are properly marked as safe, thank you for the heads up! |
It seems the false positives have been cleared: https://www.virustotal.com/gui/file/618d9c1952ecfc13ce4358afec73e9283b7c24f968208656ad6fe2b3c7b3f8ef |
That is the older file version, which was not affected. The current version is still affected: |
@cwayne18 Can you tell me if you already submitted the files as false positive or do I have to do that? |
Our security team has already submitted them, thank you for offering! |
Hello @cwayne18, sorry for asking the same question as @benklett, it's just to be 100% sure I understood correctly. We have a similar report for the Thanks |
@cwayne18 we are also investigating this. You claim that the security team has submitted these as false positives to VirusTotal. Any idea on the timeline here? When will these no longer be flagged? |
Can we keep this issue open till the scanners clear the flag? And, anybody who stumbles upon this issue will have visibility. |
The false positives have been reported. There is no additional work to be done on our side at this time, and no timeline for when these low-quality scanners will address their issues. |
Hey @brandond, many of us have customers who are inquiring into this. So having some visibility on what is happening here would be very helpful. By the way, if I compile these executables (e.g. pigz) from source the scanners don't complain. My assumption is that they don't like something about the way they are being sourced from buildroot. Is there an FAQ/known issues documentation that notes on this could be added to? Open to other ideas. In essence just looking for something I can point customers to: "This is not an issue. Here is why." Thanks. |
Unfortunately we don't have any visibility into these ML-based scanners either. We report issues when they pop up, they go away after a period of time. These vendors have no SLA on their free services, and offer no assistance other than some vague warnings about false positives in their ToS. It seems to happen about once a year or so they decide some random thing (usually busybox) is a virus or hacking tool, and we have to go through it again. Feel free to point your users at this issue for context. |
I have just read, that somehow signing could help with the issue. Would it be possible to always sign the released binaries to not let this happen again? |
Signing the binaries wouldn't likely solve this issue, it's a bit out of our hands at the moment but we have reached out to Virustotal |
Hi there, k3s --version We received a notification from rapid7 about xtables-legacy-multi:
https://www.virustotal.com/gui/file/8cc834717af150b879f9cb9892236fd0fd4695d54bc50fc82a8d31f66a1bfa84 |
Still a false positive. Report it to your AV vendor and get them to fix it. |
We finally got a response from our vendor that confirmed ipset (b52d5de7999a5b5b08ecc0bad539f99263b00bc6129aeb7327ead0e8f8b98bcd) is a false positive. VirusTotal still has non-zero community score, but at least we can move on. |
Environmental Info:
K3s Version:
affected are the channels from v1.23 until v1.29
Node(s) CPU architecture, OS, and Version:
Cluster Configuration:
Describe the bug:
A lot of files in /var/lib/rancher/k3s/data/current/bin/ get flagged by various Antvirus Software, e. g. ipset:
https://www.virustotal.com/gui/file/b52d5de7999a5b5b08ecc0bad539f99263b00bc6129aeb7327ead0e8f8b98bcd
SHA256: b52d5de7999a5b5b08ecc0bad539f99263b00bc6129aeb7327ead0e8f8b98bcd
This is the same sha for every current version in the channels v1.23 until latest.
The ipset file from version v1.22.17+k3s1:
https://www.virustotal.com/gui/file/618d9c1952ecfc13ce4358afec73e9283b7c24f968208656ad6fe2b3c7b3f8ef
SHA256: 618d9c1952ecfc13ce4358afec73e9283b7c24f968208656ad6fe2b3c7b3f8ef
List of files matched by F-Secure:
Steps To Reproduce:
Expected behavior:
No results on virustotal.com
Actual behavior:
Some Hits on virustotal.com
Additional context / logs:
The text was updated successfully, but these errors were encountered: