-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Virus detected #882
Comments
VirusTotal has always been exceptionally sensitive. Nothing changed in the installer, but my quick and dirty research suggests Trojan.Cometer may be flagged by anything that spawns a hidden window. The installer runs commands to check for existing versions of Node here and here. It also creates the first symlink here. These operations may be inappropriately picked up as "hidden windows". Bottom line: nothing nefarious is happening, and nothing has changed in this file (other than version numbers) in considerable time. I'm not sure if there is anything that can be done about this other than registering an exception with Google/Ikarus. |
Thanks for commenting! That's already a lot of information. I wasn't aware that:
I only chimed to make sure nothing interfered with the packaging process. We're looking forward to using NVM4W at Lombiq really soon! Kind regards! |
I'm assuming Lombiq is your company. Companies may be interested in the upcoming Runtime effort I'm working on. |
We had also noted this. Out of interest, are the other names picked up for the nvm.exe file simply a function of it getting extracted by the installer with different temporary names? is-SSIDO.tmp The IP address listed again with only one objection to it from Comodo Valkyrie Verdict appears primarily Microsoft. I'm guessing this could be from where the node versions / shasums are fetched? (sorry not had too much of a chance to dig into the code). Thanks for the reminder about Runtime, I'll fill that survey out now |
@DevRCRun - honestly, I have no idea what those temp files are. One thing I did notice is this: It thinks it was compiled with Go 1.15.x when the latest release was compiled with 1.19.0... so something seems off about those temp files. Maybe these tools are pulling an old binary, or maybe the ML complaining of a virus is too sensitive. The only other thing I can think of are the other base files found at https://github.com/coreybutler/nvm-windows/tree/master/bin... but there are only 4 of those and 5 temp files. |
If I'm interpreting it correctly, it's saying those file names are actually other names it's seen either submitted or in the wild for the same file it's identifying as nvm.exe (i.e. the same hash). If that's the hash as you built it, then as you say DetectItEasy must just be wrong, which does make you wonder what else about the data there could be wrong or jumbled up... |
not sure if we can only blame the hidden windows of the installer here. also the issue maybe go itself. see https://go.dev/doc/faq#virus and https://groups.google.com/g/golang-nuts/c/lPwiWYaApSU |
With alternative forms of the binary (i.e. the temp files), it could just be that some of the antivirus tools are picking up the name from a different installer (whose process may be a little different, like renaming files after downloading them). The antivirus could also be picking up filenames prematurely, i.e. performing a scan partially through the installation. Older versions of Go are sometimes picked up by outdated antivirus platforms. This was prominent in older versions of NVM4W because it was built with older versions of Go. That was 4-5 years ago. At this point, I pretty much chalk it up to the antivirus being incorrect/outdated. Most of the antivirus failures stem from machine learning (i.e. not verified by a human), which isn't perfect. Obviously the goal is for NVM4W to pass all antivirus, but some of the vendors really are really just outdated/inaccurate. I think the evidence of this is in the VirusTotal link @DevRCRun posted... because it used to show a problem. Now it shows 100% compliance. Same goes for the link @0liver posted, which now looks like this: |
I'm happy this is over 😀 Thanks for keeping us in the loop, @coreybutler! |
Issue:
2 Virus scanner report a Trojan.Cometer in the latest exe
How To Reproduce:
Download https://github.com/coreybutler/nvm-windows/releases/download/1.1.10/nvm-setup.exe
Upload it to https://www.virustotal.com/
Expected Behavior:
No virus flaged
Additional context:
This might be a false positive but it does not happen in the https://github.com/coreybutler/nvm-windows/releases/download/1.1.9/nvm-setup.exe version so this was strange.
The text was updated successfully, but these errors were encountered: