[CI] Check Nim's binaries aren't Virus #17820
Comments
|
Even if it will be checked - what's the point? It would be really hard to remove detection anyway, the only reliable way is to sign binaries, but that requires getting a paid MS certificate |
|
Not only MS has antivirus software but also MacOS and Linux (it's rare but exists) and not everybody dev on Linux. Anyway, I hope that Windows Defender or Gatekeeper don't decide to blacklist Nim's binaries. |
|
The point is that knowing some antivirus give false positives on the Nim binaries does not help at all to solve this problem. |
|
Ok, the only solution is to pay a certification company to distribute binaries without antivirus problem. |
|
Surprised everyone is so opposed to this. Having this check made just before release will not solve the problem, but it can at least warn us and if we know we might be able to make a change to avoid the antivirus programs. |
|
God bless @dom96, I felt a bit lonely 😄 |
|
AV software is harmful |
|
@dom96 how can you possibly "make a change"? AVs won't tell you a thing about why they decided that a particular .exe is a virus or not. Are you going to comment random lines of code until the AV doesn't detect it anymore? No one is "opposed" to the idea of solving the AV problem, but people are not supporting the idea discussed in this issue - even if we know that it is there, there's no way to know why was it detected. |
No, I would run a bisect. This should be especially easy when creating new patch releases since the number of changes is really small. If you find the commit that caused the problem then you have a pretty good chance of mitigating it.
I never said the downvoters were ""opposed" to the idea of solving the AV problem". Your use of quotes here feels like an implication that I did, so I just want to be clear: I was describing the opposition to the idea in this issue. But anyway, I don't have super strong feelings here, but I don't think this issue/idea deserves so many downvotes :) |
|
Note: it is not only about the compiler's binaries and tools like nimble. User generated binaries gets flagged too, I tested this. So it's not a matter of only saving Nim.exe, but producing binaries that don't get immediately deleted or quarantined by the antivirus real time protection. I assure you in some corporate environnement it triggers a security process that just don't stop with a simple warning. Plus it's a show stopper for the developer. |
Unfortunately, it's not. I've tested that with a "hello world" sniplet and these test cases: Build with visual studio code 2019 community edition:
|
|
It may helps to write down how modern antivirus works, in a simplified form just as a note to help define a strategy here. Link to antivirus ether pad table (remove /form to edit) |
Problem with bisect in this case is that it's not necessarily one commit that creates the virus mis-detect. It could very well be that one commit introduces it, then another modifies it so it disappears, and later another re-introduces it which would confuse bisect a lot. Might be worth a try though, but I don't think this would be something we should rely on. But it's worrying though that Nim binaries have now started being flagged by AV software, probably lead by the fact that it has been used quite a bit for writing malware lately. |
|
@PMunch yes, there is always that risk. No solution is perfect, although for this case you would have seen this start occurring as soon as gcc was bumped up, so for this instance it would have worked just fine. In any case, this feels like a technicality to me. The point is: there is something we can do if we detect it early enough. |
The something would be not to push a new release for windows if it get flagged by major av vendors. Hold on the previous version until it is sorted out. |
|
@m33m33 sure, that's one option. It would slow us down a lot, but if we can't figure out why av vendors are marking our binary as suspicious then we might want to spend time challenging them. |
|
Look at my previous message to get a hint about how binaries get flagged. If you are willing to spend some time to ask av vendors, challenge them by sending support requests, uploading false positive samples you may be disappointed. I tried that (not for Nim) already, but results may vary I suppose. Here are the major av vendors currently flagging Nim binaries, and the dedicated contact for such issues : Sophos Microsoft F-Secure McAfee: Avira: |
I'm getting with the latest version of my project (https://github.com/Dankr4d/BF2142Unlocker) also many false positives: The false positive is in my launcher which calls This code caused false positives: import os
import osproc
setCurrentDir(getCurrentDir() / "bin")
discard execCmd("cmd /c BF2142Unlocker.exe") |
|
Downloaded 1.4.8 and Sophos is still flagging nimble.exe as a virus.
|
|
Compile a random program with latest Nim on windows import std/[random,sets]
let size = 1000
var vals = newSeq[Rand](size)
for i in 0..<size: vals[i] = initRand() # only now, check for uniqueness
proc isUnique[T](a: openArray[T]): bool =
var s: HashSet[T]
for i in a:
if i notin s:
s.incl(i)
else:
result = false
return
result = true
doAssert isUnique(vals)Reported by kaspersky |
|
In my work environment many of the supporting binaries (nimble.exe, nimsuggest, testament, and others) since 1.4.6 have been flagged. I've worked with IT security over the past couple weeks but ultimately things aren't getting resolved. This is basically a deal breaker for me at work anyways. |
|
A free signed key service for open-source projects is coming sigstore. |
ghost
mentioned this issue
|
This is still a thing with Nim 1.4.8 under Windows 11 with the built-in virus protection system. I know this may be related to the increasing malwares written in Nim. But we really need to find a way to work around it. |
|
I just tried the nightly version of 1.5.1 (Windows 64bit). No viruses flagged. |
|
and yet RC2 gets flagged: https://forum.nim-lang.org/t/8466#54728 |
I'm guessing antiviruses are detecting harmless similarities between malware written in Nim and any Nim program and flagging them. If Nim itself was generating unknowingly malicious code then there would be more detections, but it makes sense if it's based on sample data. It also explains why it's hard for antiviruses to whitelist all Nim programs. Random compilation options like changing the GC, turning off stacktraces etc. should help for now. |
Could the CI be set up to auto-send the binaries to these places? The issue, as far as I understand, is that Nim has gotten some popularity in the malware writing space. This means that anti-virus vendors gets samples from those malwares, and then fingerprints them. Unfortunately they don't have enough non-virus binaries so the fingerprint gets too broad and therefore catches Nim itself as well. If we uploaded the Nim compiler binaries (along with nimble and the other tools) to these vendors then the fingerprint should improve it's specificity and we avoid these false positives. |
|
I'm getting one of these errors also when trying to install And I receive this from Windows Defender: If steps can be taken to try and mitigate false positives they're probably worth taking - As people mentioned above if something like that appears on your work PC, depending on your work environment, it can become a huge ordeal. Also, one day it might not be a false positive and then that would be really unfortunate 😂 |
|
Same issue with |
|
I tried to reproduce the above malware warnings for the download links with Firefox and Chrome on my macOS system, but neither gave me a warning even though I had their malware checking feature enabled. I tested the downloads from nim-lang.org with Windows Defender in a workflow. Here is the config file for it. It can be easily converted into a workflow that tests the binaries. I'd be happy to make a PR for it if it's desired. |
|
I can’t download the latest version of Nim for Windows (nim-1.6.6_x64.zip) with Microsoft Edge and I’m not sure what to do. :( Edge simply says the zip is infected with a virus. This looks like a very serious problem to me when you can’t download the install with the default browser. |
|
That is frustrating.
I don't have Windows installed locally. I just now downloaded and installed Edge on my macOS machine, but I get no message when downloading the dist files for Windows (maybe because I'm not using Windows??). |
|
Hello, @quantimnot, thanks to your script, I created https://github.com/nim-lang/virus_checker as a start for checking Nim's binaries in CI. It fetches the latest prebuilt binaries from nightlies and triggers on push and a cron. Are you interested in maintaining it with us? I think some progressive solutions are needed:
Anyone interested, please help us. |
|
There has been a virus checker here => https://github.com/nim-lang/virus_checker I'm closing this issue. Open an issue there or contribute to it, please. |
|
@ringabout Yeah, I'll help maintain it. I'm currently working on a set of composable GitHub actions and malware scanning using a variety of tools is on the list. |
|
@quantimnot Thanks a lot! Would you mind having access to the repo by the invitation I sent? |
My last Microsoft Defender definition update is from August 8: Update: Apparently I could find a little more on this from within Microsoft Defender: it’s detected as virus Program:Win32/Uwamson.A!ml and from within this application, I think I can choose “Allow” and maybe get going unless it detects further binaries as infected. VirusTotal reports the zip as fine across all scanners so the false positive sounds very localized to Microsoft Defender. Unfortunately it’s installed and activated by default on Windows. Update 2: So this is the same false positive virus as in issue #19340 from January 7, 2022 and in a post from June 2021 in this thread: https://forum.nim-lang.org/t/8008. One will maybe need to get in touch with Microsoft for this one. I can also choose to Allow in Defender and see. Since it’s Defender related, regardless if I use Firefox, Chrome or Edge, it’ll be deleted right away upon download for as long as my antivirus is enabled. |
|
update: check https://github.com/nim-lang/virus_checker It supports
|
|
Anyway the Nim team has done its best, the blame is all on the antivirus vendors. |
|
Maybe, the ci could also report the new releases to anti virus vendors that flagged the release, automatically. |
|
I’m aware this bug is closed but just reporting in that this zip could be downloaded here now! 🎉 And all exe files within seems to be fine as Defender ought to have scanned them all during extraction. |
|
Which zip? Did it used to get flagged or is it a new zip? Sometimes new zips take a while before defender decides to flag them. |
The zip here: #17820 (comment) It didn’t work between six days ago or earlier and yesterday. Unless the Nim team replaced the zip with a new one despite the same version of Nim, the AV definition must have been updated on my side. |
|
I can verify this is still an issue on Nim 1.6.10 binaries, on the 22621.1105 Build of Windows 11. Zip file gets autoblocked by Windows Defender and makes a note in the Security page. Still shows up as Trojan:AndroidOS/Multiverze . The SHA256 of the ZIP I'm using is |
|
Use 2.0rc for testing purpose please. |
|
I can't seem to be able to install Nim 1.6.10 binaries either. I haven't found any 2.0rc binary for Windows, where should I look? I have tried with nim-1.9.1-windows_x64.zip, but it's the same outcome (it's branch This seems to solve the issue, at least temporarily:
I could then unzip the archive and strangely, if I scan the archive or the unziped content, I get "0 threats found". Downloading again the other versions was not a problem anymore. I reported that to MS but I doubt I'll ever get any feedback. |
|
Adding this here because finding related fix to virus scanner is hard. Nimble using an old download API: #19767 |
|
Weirdly, I haven't had any of those issues until today, when I tried to make very simple file copier.. and it works fine when I build binary with CLI, but trying to get it automatic/temp-binary-only via PyCharm action is unfortunately marking this software as trojan. |
|
Got this installation blocker when trying to install 2.0.2. Flagged files were |
and others
Related to this forum post, it will be cool to use VirusTotal API to check this problem during the RC stage.
The text was updated successfully, but these errors were encountered: