-
Notifications
You must be signed in to change notification settings - Fork 350
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
VirusTotal flagging latest darwin-arm64 binary as malware #1977
Comments
Thanks @tedsilb. I'll investigate and respond here. |
Bumping this down as it appears to be a false positive. Investigating further. |
This is definitely a false positive, but it's still concerning that it's happening. |
Possibly related to podman-desktop/podman-desktop#3861. |
Just to be clear:
Our latest release has no reported vulnerabilities by govulncheck or in our default image (based on distroless). It's not clear what's getting flagged in VirusTotal, but we have reason to believe this is a false positive. |
And to add on, clamav does not report these problems in either of the Darwin binaries. |
I suspect we might be getting flagged because we don't notarize the binary with Apple. This might be a duplicate in effect of #1712. |
In reading the VirusTotal behavior report carefully for the amd64 binary, the virus total test result shows our binary attempting to access /etc/master.passwd and the wifi settings. Of course, I tried to reproduce this behavior and could not because our binary does not actually do these things. The virustotal scan details Shows that the various sensitive files like /etc/master.passwd and /Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist were opened by macosx components. They weren't opened by our process. We are investigating how to reach VirusTotal to verify that this is a false positive result. |
Confirmed. This was a false positive across a few security scanners. |
Bug Description
Hi, just flagging that VirusTotal detects the latest darwin-arm64 binary
(hash
9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639
) as containing malware (Google: Ikarus - Trojan.OSX.Psw
). I reanalyzed on VirusTotal and it produced the same finding.VirusTotal link: https://www.virustotal.com/gui/file/9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639/detection/f-9e47a9cbd96d572b1fd51e9902e1c2a449c43e55cdd038f77941d795c603b639-1695370063
Example code (or command)
No response
Stacktrace
No response
Steps to reproduce?
scan with virustotal
Environment
darwin-arm64
Additional Details
No response
The text was updated successfully, but these errors were encountered: