wezterm icon indicating copy to clipboard operation
wezterm copied to clipboard
verified publisher icon wez

Virus found in Windows build

Open adrian-afl opened this issue 1 year ago • 6 comments

What Operating System(s) are you seeing this problem on?

Windows

Which Wayland compositor or X11 Window manager(s) are you using?

No response

WezTerm version

20240203-110809-5046fc22

Did you try the latest nightly build to see if the issue is better (or worse!) than your current version?

Yes, and I updated the version box above to show the version of the nightly that I tried

Describe the bug

When trying to download the latest version from this url: https://github.com/wez/wezterm/releases/download/20240203-110809-5046fc22/WezTerm-windows-20240203-110809-5046fc22.zip The virus scanner built into Firefox kicks in and deletes the file because it contains malware. See attached screenshot, sadly its in polish but it says "This file contains a virus or other harmful software" obraz

To Reproduce

Use Firefox on Windows and download the latest stable, WezTerm-windows-20240203-110809-5046fc22.zip

Configuration

None

Expected Behavior

No response

Logs

No response

Anything else?

No response

adrian-afl avatar Jun 22 '24 07:06 adrian-afl

Uploading the file to VirusTotal shows that the culprit might be strip-ansi-escapes.exe, and according to #5041 this has already happened. Maybe it is not as dangerous as it looks and is simply a false positive.

Tartasprint avatar Jun 22 '24 16:06 Tartasprint

Adding this here..

scoop install wezterm

Scoop was updated successfully!
Installing 'wezterm' (20240203-110809-5046fc22) [64bit] from 'extras' bucket
WezTerm-windows-20240203-110809-5046fc22.zip (63.1 MB) [======================================================] 100%
Checking hash of WezTerm-windows-20240203-110809-5046fc22.zip ... Get-FileHash : The file
'C:\Users\Owner\scoop\apps\wezterm\20240203-110809-5046fc22\WezTerm-windows-20240203-110809-5046fc22.zip' cannot be
read: Operation did not complete successfully because the file contains a virus or potentially unwanted software.
At C:\Users\Owner\scoop\apps\scoop\current\lib\install.ps1:679 char:16
+     $actual = (Get-FileHash -Path $file -Algorithm $algorithm).Hash.T ...
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (C:\Users\Owner\...09-5046fc22.zip:PSObject) [Write-Error], WriteErrorExcepti
   on
    + FullyQualifiedErrorId : FileReadError,Get-FileHash

You cannot call a method on a null-valued expression.
At C:\Users\Owner\scoop\apps\scoop\current\lib\install.ps1:679 char:5
+     $actual = (Get-FileHash -Path $file -Algorithm $algorithm).Hash.T ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Get-Content : Operation did not complete successfully because the file contains a virus or potentially unwanted
software.
At C:\Users\Owner\scoop\apps\scoop\current\lib\core.ps1:1345 char:16
+         return Get-Content $file -Encoding byte -TotalCount 8
+                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ReadError: (C:\Users\Owner\...09-5046fc22.zip:String) [Get-Content], IOException
    + FullyQualifiedErrorId : GetContentReaderIOError,Microsoft.PowerShell.Commands.GetContentCommand

ERROR Hash check failed!
App:         extras/wezterm
URL:         https://github.com/wez/wezterm/releases/download/20240203-110809-5046fc22/WezTerm-windows-20240203-110809-5046fc22.zip
First bytes:
Expected:    57e5d03b585303d81e8b8e96d1230362852eb39aca92b3b29c7a42cfb82f9ac4
Actual:

Please try again or create a new issue by using the following link and paste your console output:
https://github.com/ScoopInstaller/Extras/issues/new?title=wezterm%4020240203-110809-5046fc22%3a+hash+check+failed

Defender links here:

https://go.microsoft.com/fwlink/?linkid=142185&name=Trojan:Win32/Vigorf.A&threatid=2147714384

image

bcookatpcsd avatar Jun 24 '24 02:06 bcookatpcsd

I'm seeing a similar detection from Sentinel One:

  • This binary imports functions used to raise kernel exceptions
  • This binary has an RWX section. It might contain self-modifying code
  • This binary contains abnormal section names which could be an indication that it was created with non-standard development tools

pmcmorris avatar Jun 24 '24 22:06 pmcmorris

I'm looking at the build artifacts from the consecutive windows GH action runs, and the SHA1 sums of the strip-ansi-escapes.exe executable are always different, despite the size of the file is always 1088000 bytes:

Version SHA1 sum
20240617-020216-e2c55743 af6d4958a7fcbaf2debd0b212d4e1ab2327dcbfb
20240624-011554-a89a4a7c bd1725a666f8c2b50b18462ecf85734ed35b5def
20240624-014549-e0b0e7ab e7220bb6875d4b356572d1a77527a7d890670590

The files don't change too much between CI runs.

Aren't the builds supposed to be reproducible?

No pun intended — just curious.

0x6675636b796f75676974687562 avatar Jun 26 '24 16:06 0x6675636b796f75676974687562

+1 I got the same problem today.

g-berthiaume avatar Jun 27 '24 12:06 g-berthiaume

I can report the same problem.

stravid avatar Jun 30 '24 17:06 stravid

Hey, I can confirm this, too. The latest stable release got detected. In my case my company laptop got flagged because of this incident and had to be exchanged for security reasons. Very unpleasant experience 😒. Maybe a warning on the website would be reasonable.

MarWeUMR avatar Jul 02 '24 14:07 MarWeUMR

Also https://www.virustotal.com/gui/file/ac6b05ae682c120778791eb942895db8fe1e513787c718df6996a3895d82c1c3

0x6675636b796f75676974687562 avatar Jul 02 '24 15:07 0x6675636b796f75676974687562

Isn't this a bit... weird that we didn't hear anything from the maintainer in all this time since I opened this issue?

adrian-afl avatar Jul 02 '24 17:07 adrian-afl

🦗 🦗 🦗

(they look like green chickens.. ) but supposed to be

:cricket

bcookatpcsd avatar Jul 02 '24 17:07 bcookatpcsd

Isn't this a bit... weird that we didn't hear anything from the maintainer in all this time since I opened this issue?

No. You have opened a duplicate issue for something that has already been responded an adressed https://github.com/wez/wezterm/issues/5074#issuecomment-1974922875

Pajn avatar Jul 07 '24 12:07 Pajn

sigh

Yes..

https://wezfurlong.org/wezterm/install/windows.html

WezTerm-windows-20240701-070926-69686f45

This opens and runs..

Scoop still shows:

Scoop was updated successfully!

C:\Users\Owner>scoop install wezterm
Installing 'wezterm' (20240203-110809-5046fc22) [64bit] from 'extras' bucket
WezTerm-windows-20240203-110809-5046fc22.zip (63.1 MB) [======================================================] 100%
Checking hash of WezTerm-windows-20240203-110809-5046fc22.zip ... Get-FileHash : The file
'C:\Users\Owner\scoop\apps\wezterm\20240203-110809-5046fc22\WezTerm-windows-20240203-110809-5046fc22.zip' cannot be
read: Operation did not complete successfully because the file contains a virus or potentially unwanted software.

@adrian-afl

bcookatpcsd avatar Jul 08 '24 11:07 bcookatpcsd

@Pajn No. You have opened a duplicate issue for something that has already been responded and adressed https://github.com/wez/wezterm/issues/5074#issuecomment-1974922875

I can't entirely agree with the mentality that "it's OSS, therefore you can audit the project if you want". This project has a 7000+ line cargo.lock file.

To me, the situation should at least be mentioned in the README.

g-berthiaume avatar Jul 11 '24 14:07 g-berthiaume

Duplicate of https://github.com/wez/wezterm/issues/5074

wez avatar Jul 13 '24 21:07 wez

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Aug 13 '24 03:08 github-actions[bot]