Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kaspersky is reporting that go1.6.2.windows-amd64.msi contains Trojan Ebowla #16292

Closed
kaveh256 opened this issue Jul 8, 2016 · 11 comments
Closed

Comments

@kaveh256
Copy link

kaveh256 commented Jul 8, 2016

Kaspersky is reporting that there is a Trojan inside go1.6.2.windows-amd64.msi. See the report here.
Looking further into it, it seems it considers api.exe to contain Trojan.Win32.Ebowla.

This seems to be a recurring issue. This also happens with version 1.5 with vet.exe and pprof.exe and also a few previously filed issues.

@cespare
Copy link
Contributor

cespare commented Jul 8, 2016

I assume it's a false positive, same as those other closed issues.

@kaveh256
Copy link
Author

kaveh256 commented Jul 8, 2016

It is most likely a false positive. But this is a recurring problem so maybe someone should have a look at why this is happening.

The previous ones were frozen due to age.

@as
Copy link
Contributor

as commented Jul 8, 2016

It occurs because Go is being leveraged to evade anti-virus software and Kaspersky is using a detection mechanism that triggers false positives.

https://github.com/Genetic-Malware/Ebowla
https://github.com/vyrus001/go-mimikatz

The "virus" is flagged as "Trojan.Win32.Ebowla." The actual virus can use Go to generate code, so Kaspersky is scanning for Go signatures to detect this virus.

@ianlancetaylor
Copy link
Member

I don't think there is anything we can do, so closing.

Further discussion should probably take place on a forum; see https://golang.org/wiki/Questions .

@Tiberriver256
Copy link

Tiberriver256 commented Jul 8, 2016

You could submit the official binary hashes to Kaspersky for whitelisting.

http://whitelist.kaspersky.com/whitelist_program

@ianlancetaylor
Copy link
Member

OK, @broady , want to look into that?

@broady
Copy link
Contributor

broady commented Jul 8, 2016

OK, will look into it. The msi files are signed, so maybe we can get Kaspersky to verify Google's signing key.

@jomcn1
Copy link

jomcn1 commented Jul 8, 2016

FYI, Microsoft System Center Endpoint Protection is also flagging go.1.6.2.src.tar.gz as malware. It looks like it is flagging it as a Spursint.Aclc trojan, and in particular it looks like the file being flagged is go/doc/codewalk/codewalk.js.

@xRayDev
Copy link

xRayDev commented Jul 11, 2016

Submit to Kaspersky lab. file C:\Go\bin\go.exe and select "Do not agree with the result".
Maybe it will help to solve this idiotic problem with their Antivirus.

@mut3
Copy link

mut3 commented Jul 14, 2016

Checkpoint Endpoint Security just started doing the same thing, must share a signature database.

@rsc
Copy link
Contributor

rsc commented Oct 31, 2017

Go 1.6 is no longer supported.

@rsc rsc closed this as completed Oct 31, 2017
@golang golang locked and limited conversation to collaborators Oct 31, 2018
@rsc rsc unassigned broady Jun 23, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests