Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TestExeObjParser/executableObject_pe_garble can fail on Windows #35705

Closed
elasticmachine opened this issue Jun 6, 2023 · 5 comments · Fixed by #35724
Closed

TestExeObjParser/executableObject_pe_garble can fail on Windows #35705

elasticmachine opened this issue Jun 6, 2023 · 5 comments · Fixed by #35724
Assignees
@faec
Labels
automation build-failures Build failures in the CI. ci-reported Issues that have been automatically reported from the CI flaky-test Unstable or unreliable test cases.

Comments

@elasticmachine
Copy link
Collaborator

💔 Tests Failed

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2023-06-06T17:05:40.954+0000

  • Duration: 138 min 56 sec

Test stats 🧪

Test Results
Failed 2
Passed 60080
Skipped 5953
Total 66035

Test errors 2

Expand to view the tests failures

ExtendedWin / auditbeat-windows-10-windows-10 / TestExeObjParser/executableObject_pe_garble – github.com/elastic/beats/v7/auditbeat/module/file_integrity
    Expand to view the error details

     Failed

    Expand to view the stacktrace

     === RUN   TestExeObjParser/executableObject_pe_garble
    exeobjparser_test.go:46: unexpected error calling exeObjParser.Parse: open ./testdata/garble_pe_executable: The system cannot find the file specified.
    exeobjparser_test.go:72: unexpected error for garble_pe pe.import_hash: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.imphash: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.imports: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.imports_names_entropy: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.imports_names_var_entropy: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.go_import_hash: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.go_stripped: got:key not found want:<nil>
    exeobjparser_test.go:72: unexpected error for garble_pe pe.sections: got:key not found want:<nil>
    --- FAIL: TestExeObjParser/executableObject_pe_garble (0.00s)

ExtendedWin / auditbeat-windows-10-windows-10 / TestExeObjParser – github.com/elastic/beats/v7/auditbeat/module/file_integrity
    Expand to view the error details

     Failed

    Expand to view the stacktrace

     === RUN   TestExeObjParser
--- FAIL: TestExeObjParser (0.06s)

Steps errors 5

Expand to view the steps failures

filebeat-arm-ubuntu-2204-aarch64 - mage build unitTest
  • Took 12 min 8 sec . View more details here
  • Description: mage build unitTest
auditbeat-windows-10-windows-10 - mage build unitTest
  • Took 3 min 21 sec . View more details here
  • Description: mage build unitTest
auditbeat-windows-10-windows-10 - mage build unitTest
  • Took 3 min 52 sec . View more details here
  • Description: mage build unitTest
auditbeat-windows-10-windows-10 - mage build unitTest
  • Took 1 min 50 sec . View more details here
  • Description: mage build unitTest
Error signal
  • Took 0 min 0 sec . View more details here
  • Description: Error "hudson.AbortException: script returned exit code 1"

@elasticmachine elasticmachine added automation ci-reported Issues that have been automatically reported from the CI build-failures Build failures in the CI. Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jun 6, 2023
@elasticmachine
Copy link
Collaborator Author

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@cmacknz cmacknz added Team:Security-External Integrations and removed Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Jun 7, 2023
@elasticmachine
Copy link
Collaborator Author

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@cmacknz cmacknz changed the title Build 85 for 8.8 with status FAILURE TestExeObjParser/executableObject_pe_garble can fail on Windows Jun 7, 2023
@cmacknz cmacknz added the flaky-test Unstable or unreliable test cases. label Jun 7, 2023
@ebeahan
Copy link
Member

ebeahan commented Jun 8, 2023
edited
Loading

Some vendors (including Elastic) flag garble_pe_executable as a malicious file. Even though Microsoft isn't listed as one of the vendors on VT, appears Defender is starting to flag it as malicious during test runs:

[2023-06-06T19:05:20.231Z] === FAIL: auditbeat/module/file_integrity TestExeObjParser/executableObject_pe_garble (0.71s)
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:46: unexpected error calling exeObjParser.Parse: open ./testdata/garble_pe_executable: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.import_hash: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.imphash: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.imports: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.imports_names_entropy: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.imports_names_var_entropy: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.go_import_hash: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.go_stripped: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     exeobjparser_test.go:72: unexpected error for garble_pe pe.sections: got:key not found want:<nil>
[2023-06-06T19:05:20.231Z]     --- FAIL: TestExeObjParser/executableObject_pe_garble (0.71s)
[2023-06-06T19:05:20.231Z] 
[2023-06-06T19:05:20.231Z] === FAIL: auditbeat/module/file_integrity TestExeObjParser (1.38s)
[2023-06-06T19:05:20.231Z] 
[2023-06-06T19:05:20.231Z] DONE 98 tests, 5 skipped, 2 failures in 85.263s
[2023-06-06T19:05:21.244Z] Error: failed to execute go: exit status 1
script returned exit code 1

EDIT: Tested and confirmed the file is marked as malicious and quarantined on Windows 10:

Windows 10 21H1 (OS Build 19043.2364)
Windows Defender Security intelligence version: 1.391.851.0

@efd6
Copy link
Contributor

efd6 commented Jun 8, 2023

We can remove that test if it's causing problems.

@efd6 efd6 mentioned this issue Jun 8, 2023
Merged
6 tasks
@efd6
Copy link
Contributor

efd6 commented Jun 8, 2023

PR at #35724.

@narph narph mentioned this issue Jun 13, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@faec faec

Labels
automation build-failures Build failures in the CI. ci-reported Issues that have been automatically reported from the CI flaky-test Unstable or unreliable test cases.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auditbeat/module/file_integrity: remove garbled PE executable test file efd6/beats
5 participants
@cmacknz @ebeahan @elasticmachine @faec @efd6