-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kaspersky is reporting that go1.6.2.windows-amd64.msi contains Trojan Ebowla #16292
Comments
I assume it's a false positive, same as those other closed issues. |
It is most likely a false positive. But this is a recurring problem so maybe someone should have a look at why this is happening. The previous ones were frozen due to age. |
It occurs because Go is being leveraged to evade anti-virus software and Kaspersky is using a detection mechanism that triggers false positives. https://github.com/Genetic-Malware/Ebowla The "virus" is flagged as "Trojan.Win32.Ebowla." The actual virus can use Go to generate code, so Kaspersky is scanning for Go signatures to detect this virus. |
I don't think there is anything we can do, so closing. Further discussion should probably take place on a forum; see https://golang.org/wiki/Questions . |
You could submit the official binary hashes to Kaspersky for whitelisting. |
OK, @broady , want to look into that? |
OK, will look into it. The msi files are signed, so maybe we can get Kaspersky to verify Google's signing key. |
FYI, Microsoft System Center Endpoint Protection is also flagging go.1.6.2.src.tar.gz as malware. It looks like it is flagging it as a Spursint.Aclc trojan, and in particular it looks like the file being flagged is go/doc/codewalk/codewalk.js. |
Submit to Kaspersky lab. file C:\Go\bin\go.exe and select "Do not agree with the result". |
Checkpoint Endpoint Security just started doing the same thing, must share a signature database. |
Go 1.6 is no longer supported. |
Kaspersky is reporting that there is a Trojan inside go1.6.2.windows-amd64.msi. See the report here.
Looking further into it, it seems it considers api.exe to contain Trojan.Win32.Ebowla.
This seems to be a recurring issue. This also happens with version 1.5 with vet.exe and pprof.exe and also a few previously filed issues.
The text was updated successfully, but these errors were encountered: