gocsv icon indicating copy to clipboard operation
gocsv copied to clipboard

Published 20 hours ago verified publisher icon aotimme

The .exe embedded in the installation zip file triggers malware detection in Sophos

Open wanstronian opened this issue 3 years ago • 3 comments

I've downloaded gocsv-windows-4.0-amd64.zip and when I extract gocsv.exe, it triggers Sophos' malware detection.

The malware in question is identified as CXrep/MalGo-A. Is there an alternative?

wanstronian avatar Nov 30 '21 14:11 wanstronian

I'm not sure why it would trigger Sophos' malware detection, although that doesn't sound great...

Maybe you can try building the module from source on your Windows machine? We use karalabe/xgo for cross compilation to publish the executables. I don't have access to a Windows machine, so I can't do it myself :(

After you git clone the repo (or use go get), you should be able to do something like the following:

GIT_HASH=$(git rev-parse HEAD)
VERSION=$(git describe --tags HEAD)
LD_FLAGS="-X github.com/aotimme/gocsv/cmd.VERSION=${VERSION} -X github.com/aotimme/gocsv/cmd.GIT_HASH=${GIT_HASH}"

mkdir bin
go build -ldflags "${LD_FLAGS}" -o bin/gocsv.exe

(apologies in advance if my syntax is wrong for Windows or if I forgot a step)

Then you can check if Sophos triggers for the built file bin/gocsv.exe.

I think that should result in the same binary that is in the v1.0.0 release. For comparison, here is what I get when I check the MD5 and SHA-1 on that gocsv.exe file:

$ file gocsv.exe
gocsv.exe: PE32+ executable (console) x86-64, for MS Windows
$ shasum gocsv.exe
0dd2c0490520d48cccacb8ca7c4a3e03dce498e4  gocsv.exe
$ md5 gocsv.exe
MD5 (gocsv.exe) = 2f3657c6c478f2f8f320ad35dd1b673f

Note that these don't match the hashes from the Sophos website for CXrep/MalGo-A published here.

aotimme avatar Nov 30 '21 18:11 aotimme

Could this project use go install? I get nervous being asked to copy/paste a script to run.

dynajoe avatar Feb 24 '22 15:02 dynajoe

@dynajoe, I'm not super familiar with the Go tool chain, but the way I see that this project is set up, no, it needs that script to inject the GIT_HASH and VERSION string into the binary. This has been a standard practice in Go for a while, How to set package variable using -ldflags -X in Golang build.

That practice may now be superseded by go:generate and go:embed, A better way than “ldflags” to add a build version to your Go binaries.

That said, when I want to make changes, I just use go install for my "personal builds".

zacharysyoung avatar May 10 '22 22:05 zacharysyoung