Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BitDefender is detecting inchi-1.exe 1.07 as a virus #54

Open
MikeWilliams-UK opened this issue Sep 2, 2024 · 21 comments
Open

BitDefender is detecting inchi-1.exe 1.07 as a virus #54

MikeWilliams-UK opened this issue Sep 2, 2024 · 21 comments

Comments

@MikeWilliams-UK
Copy link

MikeWilliams-UK commented Sep 2, 2024
edited
Loading

I see this in my BitDefender logs.

On-Access scanning has detected a threat. The file has been deleted.C:\Dev\Mike***\Inchi\Inchi\inchi-1.exe is malware of type Gen:Variant.Lazy.591568

Please fix this

inchi-1.exe
InChI version 1, Software v. 1.07 (inchi-1 executable)
Windows 64-bit Build (MS VS 2017 or later) of Jul 16 2024 16:25:04
@MikeWilliams-UK
Copy link
Author

MikeWilliams-UK commented Sep 2, 2024
edited
Loading

Scan results from VirusTotal show 7 detections.

https://www.virustotal.com/gui/file/4e982de3a389de021507137876aa3f4446ddd22c0af680c719103e2359f3e685?nocache=1

image

@MikeWilliams-UK MikeWilliams-UK changed the title BitDefender is detecting inchi-1.exe as a virus BitDefender is detecting inchi-1.exe 1.07 as a virus Sep 2, 2024
@MikeWilliams-UK
Copy link
Author

Same results for 1.07.1
https://www.virustotal.com/gui/file/18fd96115674fec180a858127c7093ec6fb8a9345b62eb69d352be9fe572cd4d?nocache=1

@giallu
Copy link
Contributor

giallu commented Sep 10, 2024

I think it's safe to say this is a false positive, maybe open a report to Bitdefender?

@MikeWilliams-UK
Copy link
Author

I agree that it's most likely a false posative, but it is also flagged by other engines too.

@MikeWilliams-UK
Copy link
Author

Besides which it is not my place to report this, it should be done by the Inchi Trust

@fbaensch-beilstein
Copy link
Collaborator

fbaensch-beilstein commented Sep 11, 2024
edited
Loading

I got a smiliar warning using G Data on Windows (sorry for the german):
Virus: Gen:Variant.Lazy.591568 (Engine A)
Datei: inchi-1.exe
Verzeichnis: [...]\InChI\INCHI-1-BIN\windows\64bit

@giallu
Copy link
Contributor

giallu commented Sep 11, 2024

@JanCBrammer can you confirm the released binary files are built in a github workflow and not in any personal PC that may be compromised?

@MikeWilliams-UK
Copy link
Author

The binarys I used were downloaded from the release folder https://github.com/IUPAC-InChI/InChI/releases/download/v1.07.1/INCHI-1-BIN.zip

@MikeWilliams-UK
Copy link
Author

MikeWilliams-UK commented Sep 11, 2024
edited
Loading

And this for the 1.07 binaries @giallu @JanCBrammer

https://github.com/IUPAC-InChI/InChI/releases/download/v1.07.0/INCHI-1-BIN.zip

@JanCBrammer
Copy link
Collaborator

can you confirm the released binary files are built in a github workflow and not in any personal PC that may be compromised?

@giallu, the binaries under https://github.com/IUPAC-InChI/InChI/releases/download/ aren't built on GitHub runners. See #1.

As far a I know, currently, @djb-rwth, is building them on his machine.

@fbaensch-beilstein fbaensch-beilstein mentioned this issue Sep 17, 2024
Open
11 tasks
@giallu
Copy link
Contributor

giallu commented Sep 17, 2024

Ok. I still think this is likely a false positive (otherwise more engines would mark the binaries as infected) but it make sense to start building them in the github enviroment so we can be pretty sure about it.

For my part, I can add to the cmake branch a package target that bundles the artifacts together and makes them available

@MikeWilliams-UK
Copy link
Author

I think it would be a good idea to (code) sign all the binary files exe and dll in the release as that should help apease the AV vendors.

@fbaensch-beilstein
Copy link
Collaborator

I've uploaded the .exe to G Data, they accepted and whitelisted it.

@djb-rwth
Copy link
Collaborator

Hi all,
Thanks @fbaensch-beilstein for confirming my suspicions that this is a false positive.

This does not seem to be an isolated case in which BitDefender detected Gen:Variant.Lazy.591568 falsely -- please refer to the following hyperlinks: hl1, hl2 or hl3.

Almost all AV software tends to be over-protective in cases of .exe files as malware and spyware most frequently sneak them within the OS.

Just recently, even the basic Windows Security falsely detected PUABundler:Win32/Rostpay within a MyConsoleApplication.exe which contained a compiled Hello world program and PUA:Win32/Presenoker inside GCC 14.1 for MS Windows installation files.

In line with @MikeWilliams-UK suggestion, all binaries will be digitally signed from now on and we shall see if that works.

I would like to encourage the users who encounter this sort of problem to submit the file(s) to the AV software HQs for further analyses/whitelisting, just like @fbaensch-beilstein did.

@djb-rwth
Copy link
Collaborator

Hi @MikeWilliams-UK,
All Microsoft Windows binaries have now been digitally signed in InChI v1.07.2, which has now been uploaded to rwth branch.
Please note that Microsoft Windows SDK's SignTool has been used for digital signatures and that Microsoft Powershell's self-signed certificate has been used for creating digital certificates.

Please be so kind as to test if your AV software still gives false positives.

@MikeWilliams-UK
Copy link
Author

A virus total scan of inchi-1.exe in the rwh branch shows no false positive.
https://www.virustotal.com/gui/file/902ff29b4eb1e832982c966a3ef21be62f111436b95923e457c2bbc94d9253e7?nocache=1

However I do get a SmartScreen warning when I try to run it, which may concern some.
This may be due the cert being self signed or lack of reputation it's hard to tell.

We at Chem4Word use a code signing service run by the .NET Foundation which uses an EV certificate generated for us and stored in their Azure Key Vault.
See "Code signing" on https://dotnetfoundation.org/projects/benefits

image

@djb-rwth
Copy link
Collaborator

Hi @MikeWilliams-UK,
Thanks for the report.
I would say that the SmartScreen in question pops up because of the self-signed certificate which is mostly used for testing purposes.
I guess that we will have to consider using DigiCert or the .NET Foundation EV certificate, although we do not have the access to Microsoft Azure services at this point -- at least none that I am aware of.
Will keep you posted.

@MikeWilliams-UK
Copy link
Author

If you wished to use the .NET foundations code signing service you would need to sign up/join their oganisation.

Details of benefit are here https://dotnetfoundation.org/membership/participation-types
I think the section "Open Source Maintainers / Project Owners" would be most appropriate

@MikeWilliams-UK
Copy link
Author

There are examples of using this in Azure DevOps and GitHub actions on the main page of their CLI tool
https://github.com/dotnet/sign

@djb-rwth
Copy link
Collaborator

There are examples of using this in Azure DevOps and GitHub actions on the main page of their CLI tool https://github.com/dotnet/sign

Hi @MikeWilliams-UK,
Thanks so much for this.
Will look into it right away.

@djb-rwth
Copy link
Collaborator

There are examples of using this in Azure DevOps and GitHub actions on the main page of their CLI tool https://github.com/dotnet/sign

Hi @MikeWilliams-UK,
Unfortunately .NET Foundations is closed for new applications until next year.
Any further suggestions in this regard would be much appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@giallu @MikeWilliams-UK @JanCBrammer @djb-rwth @fbaensch-beilstein