hass-workstation-service icon indicating copy to clipboard operation
hass-workstation-service copied to clipboard

Published 20 hours ago verified publisher icon sleevezipper

Virus warning

Open mattmole opened this issue 3 years ago • 13 comments

Hi,

On my Windows 10 device, Smartscreen reports malware. I understand this as it's such a new exe that maybe it doesn't recognise it yet.

Avast shows the following:

image

Also, virustotal.com shows this:

image

I hope this is helpful

mattmole avatar Mar 15 '21 14:03 mattmole

Hi! The Smartsceen warning happens because the code is self signed. This is expected and normal in this case.

It's super weird that you're getting virus reports. I'll have a look tonight why this could be happening. Thanks for reporting this!

sleevezipper avatar Mar 15 '21 14:03 sleevezipper

I scanned the file that reported as a virus here and got nothing positive. What exactly did you upload and where did you get it from?

sleevezipper avatar Mar 15 '21 15:03 sleevezipper

Thank you for taking the time to write this! I uploaded setup.exe, which I got from...

https://hassworkstationstorage.z6.web.core.windows.net/publish/setup.exe

https://www.virustotal.com/gui/file/e1b28927a0a3ed377a0c88b3e33d9859faac93d0c516898693a95a80faa741f3/detection

mattmole avatar Mar 15 '21 15:03 mattmole

Thanks for the extra information. This is so strange. If you put the URL to the file in virustotal.com it shows negative but if you download the file and then upload it, it's positive.

This is most likely a false positive as there's only one scanner that finds anything and well, I wrote this thing myself but you probably shouldn't take my word for it. I'll do more research tonight.

sleevezipper avatar Mar 15 '21 15:03 sleevezipper

Thanks for spending the time and sorry these are my first comments. This must be quite far away from the work you'd rather be doing - the dev itself!

mattmole avatar Mar 15 '21 16:03 mattmole

No worries, I appreciate it.

sleevezipper avatar Mar 15 '21 16:03 sleevezipper

MetaDefender shows the same results with the Zilya! engine finding a threat. VirScan gives the same result.

For me this confirms this as a false positive but others should not take my word for it. I want to be transparent about this so here's what I think is needed.

  1. Building and releasing the app should be automated and transparent. Right now I create builds on my own computer and upload the binaries to GitHub and Windows Azure.
  2. Releases should be signed by a Authenticode codesigning certificate. This would ensure you are using builds created by the automated build process.
  3. There will always be some level of plain trust associated with downloading software from the internet. I'm open to ideas about how to do this well.

Before coming out of beta this should be set up and documented.

sleevezipper avatar Mar 16 '21 20:03 sleevezipper

Thanks a lot for the update. I was reading earlier about the below, which may be another way to sign the code.

https://sigstore.dev/what_is_sigstore/

Does GitHub actions allow you to build and sign the code centrally?

Matt

On Tue, 16 Mar 2021, 20:28 sleevezipper, @.***> wrote:

MetaDefender https://metadefender.opswat.com/results/file/71896573256e6fc746a6819c21701779/hash/multiscan?lang=en shows the same results with the Zilya! engine finding a threat. VirScan https://r.virscan.org/language/nl/report/b07b0fd2a41593a56bddc7df393f9d01 gives the same result.

For me this confirms this as a false positive but others should not take my word for it. I want to be transparent about this so here's what I think is needed.

  1. Building and releasing the app should be automated and transparent. Right now I create builds on my own computer and upload the binaries to GitHub and Windows Azure.
  2. Releases should be signed by a Authenticode codesigning certificate. This would ensure you are using builds created by the automated build process.
  3. There will always be some level of plain trust associated with downloading software from the internet. I'm open to ideas about how to do this well.

Before coming out of beta this should be set up and documented.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sleevezipper/hass-workstation-service/issues/52#issuecomment-800581388, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACRRJ3M2WM2HRJTQ3KKZW4DTD65NPANCNFSM4ZGVZ4ZA .

mattmole avatar Mar 17 '21 21:03 mattmole

Same for me with Avast

zigomatichub avatar Mar 18 '21 19:03 zigomatichub

Does GitHub actions allow you to build and sign the code centrally?

I think it does! I'm not sure if it supports the installer we currently use (ClickOnce) but we don't have to use that.

sleevezipper avatar Mar 18 '21 19:03 sleevezipper

Immagine I got the same problem with Avast. Avast delete the file and it dosen't work. If I try to start the program, it re-install and Avast delete another time... Can't use it.

Disema avatar Mar 30 '21 22:03 Disema

Looks like another AV decided to mark it as a false positive image

I've gone ahead and dispatched an email to Zillya and Gridinsoft, requesting that this program signature be removed from their databases.

JonathinR avatar Jun 04 '21 08:06 JonathinR

Same issue my side with Symantec Endpoint Protection..... Very sad I was looking forward to using this with automation to manage office power and lights when my workstation is offline. I shall find another way.

chiefcomm avatar Jul 07 '21 03:07 chiefcomm