Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Winget installation flagged as a trojan by windows security #5074

Open
isgkm opened this issue Feb 25, 2024 · 27 comments
Open

Winget installation flagged as a trojan by windows security #5074

isgkm opened this issue Feb 25, 2024 · 27 comments
Labels
bug Something isn't working fixed-in-nightly This is (or is assumed to be) fixed in the nightly builds.

Comments

@isgkm
Copy link

isgkm commented Feb 25, 2024

What Operating System(s) are you seeing this problem on?

Windows

Which Wayland compositor or X11 Window manager(s) are you using?

No response

WezTerm version

20240203-110809-5046fc22

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

No, and I'll explain why below

Describe the bug

Trying to install with winget on a fresh windows 11 installation alerts windows security of a "Trojan:Win32/Wacatac.B!ml" and automatically quarantines it.

There is no nightly version available in winget.

To Reproduce

Type winget install wez.wezterm in cmd/powershell.

Configuration

no config

Expected Behavior

No response

Logs

No response

Anything else?

Full windows security log:

Detected: Trojan:Win32/Wacatac.B!ml
Status: Quarantined
Details: This program is dangerous and executes commands from an attacker.
Affected items:
file: C:\Users\user\AppData\Local\Temp\WinGet\wez.wezterm.20240203-110809-5046fc22\DOFEDD.tmp
file: C:\Users\user\AppData\Local\Temp\WinGet\wez.wezterm.20240203-110809-5046fc22\WezTerm-20240203-110809-5046fc22-setup.exe

@isgkm isgkm added the bug Something isn't working label Feb 25, 2024
@isgkm
Copy link
Author

isgkm commented Feb 25, 2024

Flagged again for the "WezTerm-windows-20240203-110809-5046fc22.zip" version, but this time its "Trojan:Win32/Malgent!MSR"

@tankorsmash
Copy link

tankorsmash commented Feb 25, 2024

I'm also getting this from downloading https://objects.githubusercontent.com/github-production-release-asset-2e65be/120568143/609f4929-1353-4ee8-9ca7-4f255c73eb45?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240225%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240225T225642Z&X-Amz-Expires=300&X-Amz-Signature=d9cd3ec6bae58e0df77015c03e1e4b57be483ffd969cf5b23348833de18d1d7f&X-Amz-SignedHeaders=host&actor_id=1312390&key_id=0&repo_id=120568143&response-content-disposition=attachment%3B%20filename%3DWezTerm-20240203-110809-5046fc22-setup.exe&response-content-type=application%2Foctet-stream via https://wezfurlong.org/wezterm/install/windows.html on Windows 10

image

@zyrif
Copy link

zyrif commented Feb 26, 2024

winget upgrade fails for the same reason (win 10).
Interestingly, virustotal found no issues with this file (one vendor flagged it as suspicious, and that's it).

image

image

@igorzhilin
Copy link

It was flagged by a few dubious antiviruses as having a trojan. Nonetheless, would love to hear the author's opinion.

https://www.virustotal.com/gui/file/35a6ec0eff7aa65e3987f14223bfb9df831eaab2964eb441ed6cad4356d252ff
8 / 70 security vendors and no sandboxes flagged this file as malicious

@kungp
Copy link

kungp commented Feb 27, 2024

Winget managed to install this on one of my Windows 10 machines a couple of days ago, but if I scan the file now it reports a trojan. Windows 11 refuses, says it's some "AgentTesla" trojan. Scanned the 10 machine with mwb and defender and it finds nothing, but I'm still pretty concerned...

Update: it does find it in strip-ansi-escapes.exe in the root WezTerm directory.

Update again: #5041

@peikk0
Copy link

peikk0 commented Feb 27, 2024

Same issue here, it quarantines it after detecting some Trojan:Win32/AgentTesla!ml.

@abhbh
Copy link

abhbh commented Feb 28, 2024

The issue is with strip-ansi-escapes.exe reported earlier in #5041
If you download the .zip file from Releases, Windows will specifically block that executable.

@LucCADORET
Copy link

The issue is with strip-ansi-escapes.exe reported earlier in #5041 If you download the .zip file from Releases, Windows will specifically block that executable.

As mentionned above, and as I have experienced myself, the issue arises also with winget. Would be nice to know precisely what is happening.

@tankorsmash
Copy link

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

@isgkm
Copy link
Author

isgkm commented Mar 2, 2024

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

I got fed up with windows and switched back to linux eventually and currently am using wezterm, so I don't actually care about this problem anymore, but I highly doubt it's anything serious. It's a huge project with 250+ contributors and even more users, supporters etc.

@wez
Copy link
Owner

wez commented Mar 2, 2024

These sorts of false positives pop up from time to time; you can see from searching in this repo the prior events. They are outside of my control and sort themselves out after someone reports the false positive.

You might have better luck with the nightly build.

I'm a little concerned that this has not been acknowledged yet. Wezterm is otherwise trustworthy right? I haven't used it before this issue.

Everything in wezterm is open source, and the CI is also open source. You can see exactly what has gone into a build and verify that there is nothing nefarious happening here, to the binaries that you download from this github repository.

If you are installing via some external aggregator/distro then the chain of trust is less clear.

It is currently "too difficult" for an independent OSS maintainer to automate code signing for windows executables; it's a ludicrous endeavor: I would need to found an LLC, have it independently verified, then fund annual book keeping for the LLC, its tax returns and status, just to get a code signing certificate that doesn't result in a scary prompt for the user. In addition, I have yet to find a certificate provider that will integrate nicely with GH actions in a fully automated way (most require some kind of USB hardware device or cloud call that requires a presence check in order to sign), so that implies that I therefore also need to procure and maintain a dedicated windows build system to produce these binaries and keep pressing a button on each build run.

I would love for this situation to be different!

https://fosstodon.org/@voltagex@aus.social/111819639907704896 is a thread with more context.

@igorzhilin
Copy link

it seems to be resolved now, i installed from winget the 0301 version, and no defender warnings anymore

@cprusprus
Copy link

it seems to be resolved now, i installed from winget the 0301 version, and no defender warnings anymore

@igorzhilin How? winget search wezterm shows: "WezTerm wez.wezterm 20240203-110809-5046fc22 winget"

@yooakim
Copy link

yooakim commented Mar 14, 2024

Sorry to report that the issue is back again.

But I fully sympathize with the issues you are facing @wez - so thanks for trying!

One things that can help is to download the file in the WSL2 session, so try doenload using curl in WSL:

curl -LO https://github.com/wez/wezterm/releases/download/20240203-110809-5046fc22/WezTerm-windows-20240203-110809-5046fc22.zip

Then unzip/copy to the Windows filesystem /mnt/c/Users<youruser> - then you can unblock the WezTerm files from Windows Defender.

@tmercswims
Copy link

tmercswims commented Mar 17, 2024

I have WezTerm installed via installer, not winget, and strip-ansi-escapes.exe got flagged by Windows Defender as a "Trojan:Win32/Malgent!MSR."

I submitted the file to Microsoft as a false-positive, and it's been closed with the following "analyst comment":

We have determined that the files meet our criteria for malware. At this time the detection will remain in place.

So no luck getting this reversed for now, I guess.

(Not that I'm concerned, personally, for the record; I will continue to use WezTerm worry-free! Just annoying that MS continues to be wrong about this.)

@abelcheung
Copy link

@tmercswims It's quite odd for you to still get it flagged right now, because I have downloaded the 0203 installer yesterday. Fed it into Windows Defender, and no malware warning at all. It used to be full of red alerts back in the days (around end of Feb), but not now.

@AyoungDukie
Copy link

AyoungDukie commented Mar 21, 2024

We recently enabled Windows Defender for our work machines (while previously using a third party AV tool), and I recently got bit by this. Supposedly everything is up to date, so this matches what @tmercswims experienced and seems to hold on latest definitions for Win11 12H2

Screenshots

image

Defender screenshots:
image

image

@tankorsmash
Copy link

blind speculation, but could this be related? I couldn't find xz packaged here, but maybe there's a dep or something that got caught in the crossfire? https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/

@mitchcapper
Copy link

at 29 of 72 vendors flagging this: https://www.virustotal.com/gui/file/ac6b05ae682c120778791eb942895db8fe1e513787c718df6996a3895d82c1c3

that is a really high false positive rate. It also seems in the past the same binary is the primary issue getting flagged. The point of the utility is to simply strip ansi sequences from input while leaving CR/LF/HT (horizontal tab). Given this seems very basic can we not just rewrite this either directly in rust or c/c++?

there are well known regex to do the same including:

/(\x9B|\x1B\[)[0-?]*[ -\/]*[@-~]/
or more commonly found:
[\u001B\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\u0007)|(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~])

Clearly with a live stream of data and avoiding buffering may take a bit more tweaking to use the regex on, assuming staying in rust: rust-lang/regex#425 may be required. Then again this isn't crazy functionality so could be done without regexs to more easily support streaming in rust.

strip-ansi-escapes is also pretty huge, at 1.2 megs for the binary. For comparison, me compiling sed statically with all features enabled on windows is 519kb. Gawk statically 912kb. Both of these would seem to handle far more complex situations then strip-ansi-escapes.

I will say compiling 5046fc2 in release generated a fairly different binary from the package stripped-ansi-escapes but that could be due to w/e optimizations etc.

@mitchcapper
Copy link

@statisch as this seems to be the primary issue for discussing this can we get this renamed to something like #5041 strip-ansi-escapes.exe is detected as a Trojan by some anti-virus causing installs to be flagged

wez added a commit that referenced this issue Apr 5, 2024
In particular, strip-ansi-escapes' dep graph is expanded
by the overall set of enabled crate features when doing an
indiscriminate `cargo build` vs. `cargo build -p strip-ansi-escapes`.

This may help to avoid tripping over whatever is problematic
in #5074
@wez
Copy link
Owner

wez commented Apr 5, 2024

I made an adjustment to the CI in 4de4061 which slims down the deps (cargo will compute the superset of all enabled crate features when building multiple crates at once, and apply those to all of the crates) which seems to help the overall assessment:

https://www.virustotal.com/gui/file/59ecd511fe692bf3c90f6d038bbe1dbea97ad8d95e9ca38668b1e72c4e31b0e2

@wez wez added the fixed-in-nightly This is (or is assumed to be) fixed in the nightly builds. label Apr 5, 2024
This was referenced May 17, 2024
@Welding-Torch
Copy link

I can't even download the zip file for Wezterm. Windows literally blocks the download.
image

@JPHutchins
Copy link

It is currently "too difficult" for an independent OSS maintainer to automate code signing for windows executables;

I believe MS wants to remedy this situation for OSS. I reached out to the Azure Code Signing team and they were very supportive; I haven't validated all of the tooling yet, but I do want to make OSS contributors aware in case any one has some spare time to investigate - particularly, setting up signing in GitHub workflows would be very valuable for OSS.

@wez
Copy link
Owner

wez commented Jun 12, 2024

@JPHutchins thanks for the tip. Docs seems to be a weak point right now, but it sounds potentially interesting!

@gaving

This comment was marked as duplicate.

@mitchcapper
Copy link

Keep in mind nothing requires you to use this specific version, you can use the one from a few days earlier: https://github.com/wez/wezterm/releases/tag/20240128-202157-1e552d76

or the nightly installer that already has the cargo stripping from above: https://wezfurlong.org/wezterm/install/windows.html

that may also resolve it for you:)

@wez
Copy link
Owner

wez commented Jun 14, 2024

Yes, as stated above, this is resolved in the nightly build.
Continuing to try to use the prior release build which MS refuse to reclassify is just adding noise here.

Repository owner locked as resolved and limited conversation to collaborators Jun 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Something isn't working fixed-in-nightly This is (or is assumed to be) fixed in the nightly builds.
Projects
None yet
Development

No branches or pull requests