Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

windows 10 go executables as Troj.Win32.TRX.XXPE50FFF042 #45191

Closed
lsintra opened this issue Mar 23, 2021 · 4 comments
Closed

windows 10 go executables as Troj.Win32.TRX.XXPE50FFF042 #45191

lsintra opened this issue Mar 23, 2021 · 4 comments

Comments

@lsintra
Copy link

lsintra commented Mar 23, 2021

What version of Go are you using (go version)?

$ go version
go version go1.16 windows/amd64

Does this issue reproduce with the latest release?

yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
set GO111MODULE=auto
set GOARCH=amd64
set GOBIN=F:\myprogs\workgo\bin
set GOCACHE=C:\Users\lsintra\AppData\Local\go-build
set GOENV=C:\Users\lsintra\AppData\Roaming\go\env
set GOEXE=.exe
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=F:\myprogs\workgo\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=F:\myprogs\workgo
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=c:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=c:\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.16
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -fmessage-length=0 -fdebug-prefix-map=C:\Users\lsintra\AppData\Local\Temp\go-build824242183=/tmp/go-build -gno-record-gcc-switches
GOROOT/bin/go version: go version go1.16 windows/amd64
GOROOT/bin/go tool compile -V: compile version go1.16
gdb --version: GNU gdb 4.16-B19

What did you do?

tcpclientcc.go
https://play.golang.org/p/6cA6uBWIny1

What did you expect to see?

I expected to see a normal exe file not being identified by anti-virus as a malicious file.
I believe that the executable being considered malicious depends on the link options. Sometimes using upx fixes the problem, other times it creates it:
go build -ldflags="-s -w" %1.go
upx --brute %1.exe

What did you see instead?

I see a pop-up from the Anti-Virus reporting the file as malicious and deleting the exe file.

@seankhliao
Copy link
Member

seankhliao commented Mar 23, 2021

Please report to Trend Micro

https://golang.org/doc/faq#virus

@lsintra
Copy link
Author

lsintra commented Mar 23, 2021

I had already sent the exe files to the Anti-Virus supplier and they were adamant: the files were malicious. This only happens when "golang.org/x/crypto/ssh/terminal" is imported.

@ALTree
Copy link
Member

ALTree commented Mar 24, 2021

Micro Trend and they were adamant: the files were malicious.

The golang.org/x/crypto/ssh/terminal source code is public. Unless they can explain what exactly is "malicious" about it, it's safe to file this under the yet-another-antivirus-false-positive folder.

@lsintra
Copy link
Author

lsintra commented Mar 24, 2021

Last night I looked at this again and found out that:
To reproduce the false positive use the crypto library and do not use any of the -ldflags -w or -s;
To avoid the false positive, do not use the crypto library or use one of the -ldflags -w or -s.

My IT sent me this link that may explain why golang exe are seen as malicious, out of an abundance of caution, by the anti-virus suppliers:
https://www.makeuseof.com/what-you-need-to-know-about-golang-based-malware/

@golang golang locked and limited conversation to collaborators Mar 24, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

4 participants