Today Microsoft Security Essentials started to flag all chisel versions as a hacking tool #279
Comments
|
I'll echo this comment #229 (comment)
If we found the module/section-of-code that the AV signature was using, we could change that bit and it would clear the detection - though this would then become a game of cat and mouse... My suggested workarounod would be to switch to Mac/Linux 😁 |
|
You can report a false positive to Microsoft as a Software Developer on https://www.microsoft.com/en-us/wdsi/filesubmission (https://docs.microsoft.com/en-gb/windows/security/threat-protection/intelligence/submission-guide#how-do-i-dispute-the-detection-of-my-program). Might be worth a shot to get this sorted or get some information on why chisel is getting detected as a hack tool in the first place. |
FWIW It can be ducked by using https://github.com/burrowers/garble to obfuscate the compiled binary. Of course being forced to use obfuscation to hide from an AV scanner, because it incorrectly quarantines a valid tool, is exactly the sort of thing that makes the binary look more nefarious. |
|
Haha yeah agreed - exemption from MS would be optimal
…On Fri, 11 Jun 2021 at 8:36 pm lmvlmv ***@***.***> wrote:
I'll echo this comment #229 (comment)
<#229 (comment)>
It’d be great to get someone with
Go experience and a Windows machine to figure out what’s causing this
If we found the module/section-of-code that the AV signature was using, we
could change that bit and it would clear the detection - though this would
then become a game of cat and mouse...
My suggested workarounod would be to switch to Mac/Linux 😁
FWIW It can be ducked by using https://github.com/burrowers/garble to
obfuscate the compiled binary. Of course being forced to use obfuscation to
hide from an AV scanner, because it incorrectly quarantines a valid tool,
is exactly the sort of thing that makes the binary look more nefarious.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#279 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE2X4Z7N7KHITTSFRNBCADTSHRJBANCNFSM45JPZZRA>
.
|
|
@jpillora As of 1.341.945.0 of the windows defender definitions (18/06/2021 00:33) this has been removed. There was some push back and it looks like MS has updated their policy. Looks like defender has reverted to detecting the default builds of chisel as being "potentially harmful" and will still block execution but does not quarantine. However signature matching has been removed meaning any lightly modified compiled binary for (FWIW I found that using garble to avoid detection worked but subtly broke specifically reverse tunneled connections in a way I'm too stupid to figure out. Something in the randomisation used must interfere with some static info in the binary this function requires... ) |
|
chisel has been used in a cyber attack because of its great potential, that's why they decided to do that |
Actually garbling doesn't work. It sometimes seems to work but somehow gets detected the day after. I even removed the server part of chisel, but again got flagged by Windows Defender. |
|
I succeeded to trust manually chisel on Defender configuration. Good for me but not good for others that need it. |
|
Esset AV show it contains trojan
|
|
I think it’s saying the chisel is the trojan lol definitely isn’t, it can
be used by Trojans, but so can curl/ssh etc
…On Wed, 27 Oct 2021 at 4:28 am rchovan ***@***.***> wrote:
Esset AV show it contains trojan
[image: image]
<https://user-images.githubusercontent.com/6713920/138930127-384ca68b-0775-47c5-8a38-97303e3dc794.png>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#279 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE2X42QCQZVU2YW3JQAIQ3UI3XLRANCNFSM45JPZZRA>
.
|
I updated definitions, got my hands dirty with go, and sure enough I got like half of the vendors in virustotal to stop flagging the file, but the main problem is microsoft flagging it which makes me feel like microsoft still is doing some "signature matching". |
|
I think it can be titled "Reports for Anti-virus software". |
|
As the Kaspersky software on my office laptop was maintained by system administrators, I'll wait for a workaround. |
|
FWIW I revisited garbling as avoiding MS Defenders policy was impossible. To build a garbled chisel that avoids the heuristic detection:
This is enough to produce a binary. Garbling the literals seems key. Presumably the scan is looking for some magic strings. If you're forking and building under CI then tests will fail. The self-signed certificates in the chisel repo do not include Subject Alternate Name fields and the later x509 libraries will reject any such certificates. If these certs are updated then it looks like chisel builds against 1.19 go OK, at least on ubuntu and windows. |
|
$ git clone https://github.com/burrowers/garble.git $ git clone https://github.com/jpillora/chisel.git
|
Today Microsoft updated the database for security essentials and Windows Defender. Therefore, all software using chisel on Microsoft will be prevented from running because it is considered a "hack tool".
The argument is that "Hacktools can be used to patch or "crack" some software so it will run without a valid license or genuine product key."
I strongly disagree with the fact that Microsoft can just blacklist an open source tcp tunnel software library without blacklisting all such tunnels. If a software misuses an open source library the software doing so should be banned, not the underlying library providing a technical means.
The solution is to whitelist this but this is not very elegant.
This has also been discussed previously here #229 for another anti-virus vendor and is flagged as won't fix. I guess this will end up as won't / can't fix as well? But maybe we should address this with Microsoft?
The text was updated successfully, but these errors were encountered: