Today Microsoft Security Essentials started to flag all chisel versions as a hacking tool

[carsten1410]

Today Microsoft updated the database for security essentials and Windows Defender. Therefore, all software using chisel on Microsoft will be prevented from running because it is considered a "hack tool".
The argument is that "Hacktools can be used to patch or "crack" some software so it will run without a valid license or genuine product key."

I strongly disagree with the fact that Microsoft can just blacklist an open source tcp tunnel software library without blacklisting all such tunnels. If a software misuses an open source library the software doing so should be banned, not the underlying library providing a technical means.

The solution is to whitelist this but this is not very elegant.

This has also been discussed previously here #229 for another anti-virus vendor and is flagged as won't fix. I guess this will end up as won't / can't fix as well? But maybe we should address this with Microsoft?

[jpillora]

I'll echo this comment #229 (comment)

It’d be great to get someone with
Go experience and a Windows machine to figure out what’s causing this

If we found the module/section-of-code that the AV signature was using, we could change that bit and it would clear the detection - though this would then become a game of cat and mouse...

My suggested workarounod would be to switch to Mac/Linux 😁

[sanderaernouts]

You can report a false positive to Microsoft as a Software Developer on https://www.microsoft.com/en-us/wdsi/filesubmission (https://docs.microsoft.com/en-gb/windows/security/threat-protection/intelligence/submission-guide#how-do-i-dispute-the-detection-of-my-program). Might be worth a shot to get this sorted or get some information on why chisel is getting detected as a hack tool in the first place.

[lmvlmv]

I'll echo this comment #229 (comment)

It’d be great to get someone with
Go experience and a Windows machine to figure out what’s causing this

If we found the module/section-of-code that the AV signature was using, we could change that bit and it would clear the detection - though this would then become a game of cat and mouse...

My suggested workarounod would be to switch to Mac/Linux 😁

FWIW It can be ducked by using https://github.com/burrowers/garble to obfuscate the compiled binary. Of course being forced to use obfuscation to hide from an AV scanner, because it incorrectly quarantines a valid tool, is exactly the sort of thing that makes the binary look more nefarious.

[jpillora]

Haha yeah agreed - exemption from MS would be optimal

…

On Fri, 11 Jun 2021 at 8:36 pm lmvlmv ***@***.***> wrote: I'll echo this comment #229 (comment) <#229 (comment)> It’d be great to get someone with Go experience and a Windows machine to figure out what’s causing this If we found the module/section-of-code that the AV signature was using, we could change that bit and it would clear the detection - though this would then become a game of cat and mouse... My suggested workarounod would be to switch to Mac/Linux 😁 FWIW It can be ducked by using https://github.com/burrowers/garble to obfuscate the compiled binary. Of course being forced to use obfuscation to hide from an AV scanner, because it incorrectly quarantines a valid tool, is exactly the sort of thing that makes the binary look more nefarious. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE2X4Z7N7KHITTSFRNBCADTSHRJBANCNFSM45JPZZRA> .

[lmvlmv]

@jpillora As of 1.341.945.0 of the windows defender definitions (18/06/2021 00:33) this has been removed. There was some push back and it looks like MS has updated their policy.

Looks like defender has reverted to detecting the default builds of chisel as being "potentially harmful" and will still block execution but does not quarantine.

However signature matching has been removed meaning any lightly modified compiled binary for chisel.exe is no longer immediately nuked by real-time protection. Which is.... better?

(FWIW I found that using garble to avoid detection worked but subtly broke specifically reverse tunneled connections in a way I'm too stupid to figure out. Something in the randomisation used must interfere with some static info in the binary this function requires... )

[G0ne]

chisel has been used in a cyber attack because of its great potential, that's why they decided to do that

[amintnt]

@jpillora As of 1.341.945.0 of the windows defender definitions (18/06/2021 00:33) this has been removed. There was some push back and it looks like MS has updated their policy.

Looks like defender has reverted to detecting the default builds of chisel as being "potentially harmful" and will still block execution but does not quarantine.

However signature matching has been removed meaning any lightly modified compiled binary for chisel.exe is no longer immediately nuked by real-time protection. Which is.... better?

(FWIW I found that using garble to avoid detection worked but subtly broke specifically reverse tunneled connections in a way I'm too stupid to figure out. Something in the randomisation used must interfere with some static info in the binary this function requires... )

Actually garbling doesn't work. It sometimes seems to work but somehow gets detected the day after. I even removed the server part of chisel, but again got flagged by Windows Defender.

[nicolas-albert]

I succeeded to trust manually chisel on Defender configuration. Good for me but not good for others that need it.

[rchovan]

Esset AV show it contains trojan

[jpillora]

I think it’s saying the chisel is the trojan lol definitely isn’t, it can be used by Trojans, but so can curl/ssh etc

…

On Wed, 27 Oct 2021 at 4:28 am rchovan ***@***.***> wrote: Esset AV show it contains trojan [image: image] <https://user-images.githubusercontent.com/6713920/138930127-384ca68b-0775-47c5-8a38-97303e3dc794.png> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#279 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE2X42QCQZVU2YW3JQAIQ3UI3XLRANCNFSM45JPZZRA> .

[javaarchive]

@jpillora As of 1.341.945.0 of the windows defender definitions (18/06/2021 00:33) this has been removed. There was some push back and it looks like MS has updated their policy.

Looks like defender has reverted to detecting the default builds of chisel as being "potentially harmful" and will still block execution but does not quarantine.

However signature matching has been removed meaning any lightly modified compiled binary for chisel.exe is no longer immediately nuked by real-time protection. Which is.... better?

(FWIW I found that using garble to avoid detection worked but subtly broke specifically reverse tunneled connections in a way I'm too stupid to figure out. Something in the randomisation used must interfere with some static info in the binary this function requires... )

I updated definitions, got my hands dirty with go, and sure enough I got like half of the vendors in virustotal to stop flagging the file, but the main problem is microsoft flagging it which makes me feel like microsoft still is doing some "signature matching".
https://www.virustotal.com/gui/file/24dd1a9bbc545ae71c4219dbc4746ab4022dd675eabcd5dc9fb3d225dc3996ce/detection
I wasn't able to get garble running yet due to the go version I got. I also tried running Ultimate Packer on the executable but that ended up making the file detected as some other kind of malware.