keybase-issues icon indicating copy to clipboard operation
keybase-issues copied to clipboard

Published 20 hours ago verified publisher icon keybase

Keybase for macOS Flagged on VirusTotal.com

Open paul-cossey opened this issue 1 year ago • 1 comments

Hi, Folks

The latest release for macOS is being flagged by two vendors on VirusTotal: https://www.virustotal.com/gui/file/4ee110f49723602c627bb68f81cd3054dc16d33d7ffc87a839f4f18a6feded7d?nocache=1 Screenshot 2023-10-26 at 11 37 52

I'm pretty sure it's a false positive, but raising as you may wish to work with the vendors to resolve the issue.

Uploading the App bundle rather than the dmg is only flagged by one vendor: https://www.virustotal.com/gui/file/86d4673a1842b076a0bc058e5c5298fb4e59475fa3c1f2c83572d816d1461df7/behavior

Thanks!

paul-cossey avatar Oct 26 '23 10:10 paul-cossey

I can confirm that VirusTotal does, indeed, not like the .dmg.

However, it's worth to understand why it dislikes it; it's very likely a false positive.

The culprit seems to be keybase-redirector — one of the "magic" bits that handle mounting a KBFS volume, via FUSE, on a user's unprivileged account. That's no mean feat, and it certainly requires a lot of programming tricks, which anti-malware software will very likely frown upon.

The VirusTotal page for keybase-redirector also mentions that it matches a particular set of the crowdsourced YARA rules:

VirusTotal analysis

Looking them up, you can see that this rule will match the word readFile (a way too common function call name, IMHO) which will trigger the warning:

/Applications/Keybase.app/Contents/SharedSupport/bin$ strings keybase-redirector | grep -in readfile
4265:time.readFile
4267:time.readFile.func1

Note, however, that they also explain the following (emphasis mine):

This signature detects the presence of a number of Windows API functionality often seen within embedded executables. When this signature alerts on an executable, it is not an indication of malicious behavior. However, if seen firing in other file types, deeper investigation may be warranted.

keybase-redirector is, indeed, an executable (and is intended to be used as one!); also, it's not a Windows executable, but a perfectly legitimate macOS binary:

/Applications/Keybase.app/Contents/SharedSupport/bin$ file keybase-redirector
keybase-redirector: Mach-O 64-bit executable x86_64

(on a Mac with an Intel chip)

AFAIK, keybase-redirector is called when Keybase launches and after having correctly authenticated with the Keybase servers; it establishes the FUSE mount and 'redirects' it to the unprivileged user. You should have that mount listed when executing the command mount from the shell.

While I have no idea how Ikarus/Google do their checks, or which files they flagged as suspicious, it's likely that they are essentially flagging the same thing by mistake.

GwynethLlewelyn avatar Nov 18 '23 11:11 GwynethLlewelyn