Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deltachat-rpc-server-win64.exe is marked as malware by VirusTotal since 1.150.0 #6338

Open
link2xt opened this issue Dec 13, 2024 · 13 comments
Open

deltachat-rpc-server-win64.exe is marked as malware by VirusTotal since 1.150.0 #6338

link2xt opened this issue Dec 13, 2024 · 13 comments

Comments

@link2xt
Copy link
Collaborator

link2xt commented Dec 13, 2024
edited
Loading

This version is marked as malware:
https://github.com/deltachat/deltachat-core-rust/releases/download/v1.150.0/deltachat-rpc-server-win64.exe

sha256sum of 1.149.0 is 347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9, it is clean:
https://www.virustotal.com/gui/file/347bdcf0905cb19335ae915ea7a256db1396e48eecf848ede6fe116f4f82ebb9
I built it with nix build .#deltachat-rpc-server-win64 and it produced the same binary with the same sha256, the version uploaded to GitHub releases, PyPI and npm is reproducible.

sha256sum of 1.150.0 is 12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4, I also reproduced it with Nix, but this one is flagged:
https://www.virustotal.com/gui/file/12cdbb651b793c2b81b3a08a8ea10942dcfdf30777381c947b3002dad3c9d4e4

Going to bisect to the commit now.

git bisect log

Commit 60163cb (bad, 1/72 flagged): https://www.virustotal.com/gui/file/a76476948e06af68a513e542c02f0a5c66c970b71aa0590096bdcdf80d212dd0

Commit 1e886a3 (good): https://www.virustotal.com/gui/file/5137e6c543ab985872c06a019b08a21ffc1c5d0cfa7d2d968e007b08d8ad0a06

Commit 010b655 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 19dc16d (good):
https://www.virustotal.com/gui/file/e95316049c1e8123823eb475406425d33b9922b04c1f249d7596f6722a425740

Commit fe53eb2 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/6bcbc36ab460d15c847c402d3b3d44e2adde277f6cdce5e16bf284b59b874d71

Commit 9c0e932 (bad, 1/72 flagged):
https://www.virustotal.com/gui/file/0512e8b2e25c64c11d470e54ca931f464986cd7d41031c02e6dee53425d86ad2

I suspect it will end up at nix flake update commit which implicitly updated Rust, but doing proper git bisect currently anyway.

EDIT: so it is 9c0e932 which updated Rust.

This problem results in antivirus deleting deltachat-rpc-server.exe when installing Delta Chat Desktop on Windows and breaking the setup: deltachat/deltachat-desktop#4209
@link2xt link2xt mentioned this issue Dec 13, 2024
Open
@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024
edited
Loading

At this point it is only Microsoft detecting Trojan:Win64/CobaltStrike.IM!MTB
Seems they have a history of such false positives: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-atp-scars-admins-with-false-cobalt-strike-alerts/

Also here: tree-sitter/tree-sitter-css#35

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024

https://docs.virustotal.com/docs/false-positive-contacts lists https://www.microsoft.com/en-us/wdsi/filesubmission as a place to report false positives. There is a way to upload your binary as a "software developer", probably we should do it from Delta Chat related account.

@WofWca
Copy link
Collaborator

WofWca commented Dec 13, 2024
edited
Loading

What's interesting is that the 32-bit build of 1.150 is not flagged: https://www.virustotal.com/gui/file/98c85c5cd0fab1be0f12dc4768b889aaaaa53a8124ced8c5039e24c08ea260d6

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024
edited
Loading

I uploaded 1.152.0 as the false positive:
windows

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024

1.152.0 release, the latest one at the moment and the one submitted as false positive:
https://www.virustotal.com/gui/file/f5c3174fa11bb2010a9aadad993ce4b130d0b5de2a17782a64619bb2e67277e4

We can click to rescan it later and see if the problem is resolved.

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024
edited
Loading

I have also tested that checking out v1.149.0 tag and running nix flake lock --update-input fenix to only update Rust results in Microsoft detecting 1.149.0 as Trojan:Win64/CobaltStrike.IM!MTB: https://www.virustotal.com/gui/file/bf0ddac0dd7c4a667f37f5207d55cd08b3c01b980738826e93e44d894168511d

Here is the diff compared to 1.149.0:

diff --git a/flake.lock b/flake.lock
index 95b1fe5d8..8fe43fb73 100644
--- a/flake.lock
+++ b/flake.lock
@@ -47,11 +47,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1714112748,
-        "narHash": "sha256-jq6Cpf/pQH85p+uTwPPrGG8Ky/zUOTwMJ7mcqc5M4So=",
+        "lastModified": 1734071760,
+        "narHash": "sha256-i5/1cvgahF0lvtRkg9aKlYr0SuE8hNO7xaqvdkc+qXE=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "3ae4b908a795b6a3824d401a0702e11a7157d7e1",
+        "rev": "db0bcf236f561ebbac1204074757c26c53a3d63c",
         "type": "github"
       },
       "original": {
@@ -147,11 +147,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1713895582,
-        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+        "lastModified": 1733940404,
+        "narHash": "sha256-Pj39hSoUA86ZePPF/UXiYHHM7hMIkios8TYG29kQT4g=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
+        "rev": "5d67ea6b4b63378b9c13be21e2ec9d1afc921713",
         "type": "github"
       },
       "original": {
@@ -203,11 +203,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1714031783,
-        "narHash": "sha256-xS/niQsq1CQPOe4M4jvVPO2cnXS/EIeRG5gIopUbk+Q=",
+        "lastModified": 1734022706,
+        "narHash": "sha256-rIz8/rsTP5N7uLSyFbHZ+ink6EHBKkWFAQPkzhq7/YM=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "56bee2ddafa6177b19c631eedc88d43366553223",
+        "rev": "9b2e72c40454012cbac8a1aa94d65931e3a7b881",
         "type": "github"
       },
       "original": {

@WofWca
Copy link
Collaborator

WofWca commented Dec 13, 2024

We can click to rescan it later and see if the problem is resolved.

Unlikely, it's been marking other releases as potentially malicious

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 13, 2024

I mean if Microsoft does something about false positive, VirusTotal should stop detecting old binaries as malware as well.

@link2xt link2xt mentioned this issue Dec 17, 2024
Merged
@link2xt
Copy link
Collaborator Author

link2xt commented Dec 17, 2024

There is a workaround at #6346 but this Rust downgrade prevents us from upgrading dependencies, e.g. iroh at #6309 so the issue will remain open until Microsoft fixes the false positive.

@link2xt link2xt mentioned this issue Dec 17, 2024
Draft
@nicodh nicodh mentioned this issue Dec 17, 2024
Merged
@link2xt
Copy link
Collaborator Author

link2xt commented Dec 17, 2024

There is also an update on the false positive report:
malware

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 17, 2024

VirusTotal still flags 1.152.0 so the issue remains open until we can build with new Rust and get 0 detections on VirusTotal and can merge #6348

@nicodh nicodh mentioned this issue Dec 18, 2024
Merged
@link2xt
Copy link
Collaborator Author

link2xt commented Dec 25, 2024

Current situation with #6348

https://www.virustotal.com/old-browsers/file/5ba9d321c00a387fcab67ec8ab59325f118307c7914e45f04eb2efdaa81ef655 (2/76, Ikarus + Google)

https://www.virustotal.com/gui/file/5ba9d321c00a387fcab67ec8ab59325f118307c7914e45f04eb2efdaa81ef655 (2/72, Google + Ikarus)

@link2xt
Copy link
Collaborator Author

link2xt commented Dec 26, 2024

According to https://docs.virustotal.com/docs/false-positive-contacts we should write to [email protected] or what? Not going to do it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@link2xt @WofWca