zui icon indicating copy to clipboard operation
zui copied to clipboard

Published 20 hours ago verified publisher icon brimdata

Security products flags installer as malware (v0.30)

Open dr4lekhine opened this issue 2 years ago • 5 comments

Hello,

Are you noticed that the last build (0.30) is flagged as malware by several security/AV products:

0.30 (Windows): https://www.virustotal.com/gui/file/33e86bbf67936459a50b3cc1713254b6a4cf817ab46b07d49ffe7658edb84349/details (6/63)

image

In general, earlier builds seems to not: 0.29 (Windows): https://www.virustotal.com/gui/file/5208435e4b886e4a2b84eece27e0436948281647d5a0b8b4937756d97be812ee/detection (0/61) 0.28 (Windows): https://www.virustotal.com/gui/file/363fe8954edb1e826d2932d779973293479274a813fd7b5c0dfb67f8732ca9fd/detection (1/61)

Regards.

dr4lekhine avatar May 22 '22 02:05 dr4lekhine

Hrm. Indeed, I saw Avast on the list of engines that flagged it and I happen to run Avast on my Windows system, so I reproduced the problem successfully.

image

I'm not great at interpreting the output of these VirusTotal summaries to understand what about the executable was the cause for concern. For instance, some older versions of Brim were also flagged due to one particular utility that's bundled with the app, but in that case the detail in VirusTotal was sufficient to unpack the problem and write up the details at https://github.com/brimdata/brim/wiki/Troubleshooting#my-antivirus-software-has-flagged-brim-as-potentially-malicious that show why it's almost certainly a false positive. For this one, I'm not sure how one would proceed.

philrz avatar May 22 '22 16:05 philrz

I just went ahead and submitted it at https://www.avast.com/false-positive-file-form.php to see if the Avast people might come back with anything more specific to say.

philrz avatar May 22 '22 17:05 philrz

Dang, this sucks. It's probably, as usual, our bundled zeek and suricata binaries. We updated electron in this release, so that might be reason for the difference since the last release.

jameskerr avatar May 23 '22 18:05 jameskerr

I did get the following reply from Avast:

Greetings,

Thank you for contacting Avast with your concerns.

Our virus specialists have been working on this problem and detection on this file has been changed to PUP - potentially unwanted.

For future reference you might also find the following articles to be useful:

  • Avast Threat Labs - Clean guidelines: https://support.avast.com/en-ww/article/228/
  • Avast Threat Labs - Mobile application clean guidelines: https://support.avast.com/en-ww/article/151/

Ondřej

Avast Customer Care Team

It sure would have been great if they could flag the specific items in their checklists where they believe the app is still in violation, rather than leaving it to us to guess which one(s). I'll reply and ask if they'd be so kind. In the meantime, looking over the list myself, I can see some possible culprits including:

  • Should the software functionality be more clearly described during the installation process?
  • Should there be more explicit mention of Zed, Zeek, Suricata, and Suricata Update as bundled components?
  • I couldn't find any links during installation or in the app to the Privacy Policy even though one exists at https://www.brimdata.io/terms/privacy/
  • I don't know anything about "vendor identifiers", but their point about how this must apply to "every executable" makes me wonder all the ones that are shipped get that treatment
  • I'm not sure if their text "Each program must be offered on its own offer/install screen" implies that there'd need to be separate install steps specifically covering the Zeek/Suricata parts, but when I think about it, indeed, other common tools do this (e.g., Wireshark having npcap as a separate install step)

I'd recommend doing your own read through their lists, as I may be overlooking others that apply. These might be worth addressing regardless since their presence in these lists seem to imply they're a reflection of current good app hygiene.

I'll update with anything further I hear back from Avast.

philrz avatar May 24 '22 20:05 philrz

Alas, when I replied and asked Avast to point to Brim's specific violations from their checklist, they did not provide. Their message:

Hello Phil,

Thank you for your reply.

Once the violations of clean guidelines are fixed on the side of the developers they may contact us directly to check it for them again.

Best Regards

Ondřej

Avast Customer Care Team

Therefore, it sounds like the best that could be done is to address as many things from their checklist as possible and then ask again, as they say.

philrz avatar May 30 '22 21:05 philrz

#2857 tracked a more recent flagging of the Zui installer as malware, and we addressed that with the changes in the linked PR #2858. As discussed in the closing remarks of #2857, the VirusTotal report for the Zui v1.3.1 Windows installer shows "green" status for all the vendors. Therefore I'm closing this issue as a duplicate of #2857.

philrz avatar Oct 26 '23 21:10 philrz