Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

anti virus triggering. #1302

Open
5 tasks done
SamHoque opened this issue Dec 24, 2024 · 14 comments
Open
5 tasks done

anti virus triggering. #1302

SamHoque opened this issue Dec 24, 2024 · 14 comments
Labels
bug Something isn't working

Comments

@SamHoque
Copy link

Describe the bug

When running the build command, I am getting an anti virus alert on the manifest.json file.

image

Reproduction

run build

Steps to reproduce

No response

System Info

System:
    OS: Windows 11 10.0.22631
    CPU: (24) x64 12th Gen Intel(R) Core(TM) i9-12900K
    Memory: 10.93 GB / 31.79 GB
  Binaries:
    Node: 18.20.2 - C:\Program Files\nodejs\node.EXE
    npm: 10.5.0 - C:\Program Files\nodejs\npm.CMD
    pnpm: 9.12.2 - C:\Program Files\nodejs\pnpm.CMD
    bun: 1.1.42 - ~\.bun\bin\bun.EXE
  Browsers:
    Edge: Chromium (124.0.2478.80)
    Internet Explorer: 11.0.22621.3527
  npmPackages:
    wxt: ^0.19.19 => 0.19.19

Used Package Manager

bun

Validations

@SamHoque SamHoque added the pending-triage Someone (usually a maintainer) needs to look into this to see if it's a bug label Dec 24, 2024
@aklinker1
Copy link
Collaborator

aklinker1 commented Dec 24, 2024

Link for reference: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:JS/FakeBardExt.B

Woah, thanks for reporting, that's not good... Unfamiliar with these window defender alerts, and the Microsoft doc sucks, doesn't tell us anything.

I don't have Windows, so could you do some testing for me?

  • Does it only happen for v0.19.19 of WXT? What about the latest version, v0.19.22? What about an older version, like v0.17.12?
  • What about a different package manager, does it happen with NPM?
  • Does this happen during the build, or afterwards at some point, like when trying to load the file into a browser?
  • Can you share the file's contents?

@aklinker1 aklinker1 added bug Something isn't working and removed pending-triage Someone (usually a maintainer) needs to look into this to see if it's a bug labels Dec 24, 2024
@SamHoque
Copy link
Author

  1. Same issue with Wxt v.0.19.22
  2. I don't think its an npm package manager issue, since I am using the template https://github.com/mefengl/wxt-starter, and that doesn't seem to trigger anti virus
    , something to do with my changes from the config, I'll further investigate this.
  3. Only happens during build, dev runs fine. (happens right after build is finished)
  4. manifest.json

@SamHoque
Copy link
Author

SamHoque commented Dec 24, 2024

additional note. I am trying to migrate my extension from plasmo to wxt, and I didn't have any anti virus issues with plasmo.

edit:

same virus issue with pnpm and npm

@SamHoque
Copy link
Author

I was able to replicate the virus on a new repo, I have published it under. https://github.com/SamHoque/wxt-virus-demo

@SamHoque
Copy link
Author

  1. Same issue with Wxt v.0.19.22
  2. I don't think its an npm package manager issue, since I am using the template https://github.com/mefengl/wxt-starter, and that doesn't seem to trigger anti virus
    , something to do with my changes from the config, I'll further investigate this.
  3. Only happens during build, dev runs fine. (happens right after build is finished)
  4. manifest.json

downloading the manifest file from this, also triggers my anti virus

image

it has something to do with the generated manifest.

@SamHoque
Copy link
Author

Removing either the content, background or sidepanel fixes the bug, but having all 3 causing the bug, I am guessing microsoft is checking for a pattern, maybe the order in how the json is formatted with all 3 of these entry points set.

@SamHoque
Copy link
Author

my theory was correct, this is the same file, with just fields in a different order

https://www.virustotal.com/gui/file-analysis/ZTQ3MjVkODFiMmRmMDI3MWJhNGIyYjY2NzA3NDhjMmE6MTczNTA3OTI2Nw==

@aklinker1
Copy link
Collaborator

So is it a file hash they're checking? Does your manifest just happen to have the same MD5 or something as a known virus?

@SamHoque
Copy link
Author

So is it a file hash they're checking? Does your manifest just happen to have the same MD5 or something as a known virus?

I don't think its a file hash, since unminfied version also gets flagged, I am guessing its the json object order.

@SamHoque
Copy link
Author

however, I am rearranging it now, and still seem to be getting virus alerts, very weird.

@SamHoque
Copy link
Author

it has something to do with the generated manifest file, the virus defender doesn't like something in it.

@SamHoque
Copy link
Author

giphy

Fixed manifest.json
https://www.virustotal.com/gui/file/5fa1d911cbf2722aa4b04be355ba78b1eaa13af35e5470fc1974a39b5a79e368

Manifest detected on virus:
https://www.virustotal.com/gui/file/0f446169195a22d7737152208a3c2b726ad2986fb80c5dd8b6abc9a46a2f55ff

the problem is the background service_worker
manifest_virus.json
manifest_fix.json
worker, changing it to a different path doesn't trigger virus detection

I have attached both files for you to analyze as well, this is very stupid if this is the problem.

@SamHoque
Copy link
Author

SamHoque commented Dec 24, 2024

locally updating the getEntrypointOutputFile function has fixed the anti virus problem for me. I just append a random id as a suffix.

export function getEntrypointOutputFile(
  entrypoint: Entrypoint,
  ext: string,
): string {
  const random_id = Math.random().toString(36).substring(2);
  return resolve(entrypoint.outputDir, `${entrypoint.name}-${random_id}${ext}`);
}

I think in future, we should allow users to be able to configure each entrypoint name via the configuration for minification/custom naming or dirs. (Similar to vite chunks)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants