False detection on VT?

[ghost]

Hi,

First of all, thank you for this project!

This project looks trustworthy and on first sight I did not detect anything suspicious, nonetheless I went ahead and checked the current release with VirusTotal just to be sure, the report can be found here: https://www.virustotal.com/gui/file/3ea8f34d481c930ed0d08a5c175cd9ce0ea23805949c29f9c407ae41b46d8999

It (currently) has one detection, which is most likely a false positive and you could possibly rectify it by submitting the program to Elastic (if you care). In VT, under "Relations" you can find that it is "connected" to a Chrome Extension (which has 2 detections) and two IP addresses which also have (very few) detections and I think one of those is also contacted by the DiscordChatExporter (which btw also gets flagged 4 times as of now?).

Could you possibly shed some light on what the two IP addresses the program connects two are contacted for (maybe even point out the files/lines of code?) and why Elastic could be flagging the program? I also got three firewall notifications (e.g. from node.js) when launching the program, I guess this is for the (local) database communication? It seems to run fine without an internet connection.

I am highly confident that this project is not malicious and I just hope you could remove any remaining doubt one could have.

Thanks!

[slatinsky]

The windows release version zip is exactly the same as the ones built by github actions. Also nginx binary is sourced from the official site.

The only thing that I am not 100 % sure that is clean are dlls msvcp140.dll and vcruntime140_1.dll, that I "stole" from my pc :D.

The problem is that the project uses a lot of dependencies - even builds straight from github actions may suffer from supply chain attack.

The project should ONLY contact discord servers. It has no analytics added from my side (but probably other dependencies may have that baked in). Please tell me if you find out any information. It may me useful to fix Windows Defender detection too.

[ghost]

Thanks for the quick answer!

I compared my own .dll files with the ones in the repo and they are of almost identical size, slightly different though (due to different versions of Windows or updates I guess?). But maybe also throw them into VT to be (more) sure that they are clean (not sure how meaningful that is)?

And do you mean a supply chain attack is likely? D:
Or just that the amount of dependencies could be the reason for why the program trips scanner(s)?

The IP Traffic is with:
20.99.184.37:443 (TCP)
23.216.147.76:443 (TCP) (23.216.147.64:443 (TCP) in the previous release)
Unfortunately I don't know how to find out more information on why/where the traffic is happening and what's transferred.

Also: my Windows Defender does not complain, neither about the src nor the release :)

[slatinsky]

First one is Microsoft
Second one is Akamai CDN - this was probably contacted to download gg sans font
Third one is Akamai CDN

I don't see anything suspicious, but you can man-in-the-middle the traffic to be sure if you want. Discord uses Akamai as it's content delivery network (CDN).

Also there is a setting in the viewer to view your exports offline only - so it never contacts discord CDN (except to download font at the server startup stage), even if the assets were not exported.

[ghost]

Thanks, I will try that.

Regarding the .dll files, is there anything we can do to make sure they are safe? You just grabbed them from your Windows, the signatures seem alright, so I guess they should be safe?

Sorry if this starts to get annoying, I promise that this is my last question regarding this topic, thanks a bunch.

[slatinsky]

If you don't trust me and want to be extra safe, download build from github actions (it is build by github using these instructions . Then replace all binaries and dlls with your own copy.

That still doesn't prevent supply chain attack in dependencies.
And as I said before, I upload exactly the same zip file I download from github actions to releases.

[ghost]

I did what you suggested. Running the github actions myself produced something almost identical to your release, besides a few bytes which I guess could be due to some dependencies having already changed slightly since the last release? It also produces the same results in VT. So all good, never mistrusted you here though and this was more of an exercise for myself! :D

Then I replaced the nginx and mongodb binaries and the dlls with my own copies and threw it into VT. It was again flagged by Elastic only and had almost identical behavior with the only difference being the two IP addresses: one is still Microsoft, the other one was now Edgecast instead of Akamai. 🤷