Trojan detected

[theresia-tobii]

I was building a few and installing a few clowd.squirrel based releases locally when windows defender started to complain about a trojan in squirrel.exe/update.exe. I can now neither run the pack/releaseify commands nor any previously built installer :(. Have you seen this before?

[theresia-tobii]

Here is a log from the pack command:

Latest full package found: TobiiSquirrelSample-1.3.0-dependencies0003-full.nupkg
[INFO] HelperExe: Packing '.\Stage\Sample\published' into nupkg.

[ERRO] System.IO.IOException: Operation did not complete successfully because the file contains a virus or potentially unwanted software. : 'C:\git\gaming-squirrel-net\Stage\Sample\packages\clowd.squirrel\2.7.34-pre\tools\Update.exe'
at System.IO.FileSystem.CopyFile(String , String , Boolean )
at System.IO.File.Copy(String , String , Boolean )
at SquirrelCli.Program.Releasify(ReleasifyOptions options)
at SquirrelCli.Program.Pack(PackOptions options)
at SquirrelCli.CommandAction1.Execute(IEnumerable1 args)
at SquirrelCli.CommandSet.Execute(String[] args)
at SquirrelCli.Program.Main(String[] args)

[theresia-tobii]

Had I been able to change antivirus settings (I can't because they are managed by our IT department) I could have excluded the folder I'm working in, but that would not help our users if they run into the same thing.

[caesay]

Unfortunately .net6 publishsinglefile binaries (Update.exe) and the installer (Setup.exe) are usually detected for mostly the same reason: they both contain compressed executable code. This is a common tactic of viruses, that compress/obfuscate their payloads.

This is a common problem for application developers, and was an issue in the old squirrel also. It's also getting worse as AI/heuristic-based virus detection methods are more common, as they will be biased to just detect anything that has compressed code in it as a virus (as it's far more common for viruses to have this). You can see that your detection was one of these: Bearfoos.A!ml, my understanding is the !ml stands for machine learning.

As far as I know, there is nothing that can be done to Squirrel code to avoid it being detected. There are two things you can do to your own app to prevent it being detected:

• Submit your binaries for malware analysis https://www.microsoft.com/en-us/wdsi/filesubmission
• Properly sign your application

Unfortunately, I can not ship a pre-signed version of Squirrel (Update.exe and Setup.exe) to you, because they are modified during package creation and the signature would be invalid.

[theresia-tobii]

I managed to get it to work once I added signing.

[theresia-tobii]

Unfortunately it now picks up on signed things as well :(

[caesay]

I sympathize, but there is nothing can be done to Squirrel to help with this. If you have any concrete suggestions, happy to hear them.

As far as your own application, you can:

• Sign all your executables with a reputable code signing certificate
• Submit your app to Microsoft for malware analysis before you ship it to your users. (Other AV vendors also have submission pages for false positives, you can check to see which vendors are detecting your app by uploading it to VirusTotal)

Also, file reputation can be built up over time by:

• Always distributing your app from the same URL
• Not rebuilding exe's that have not changed (eg. the file hash stays the same)

There may be other suggestions online for dealing with this problem. Feel free to google, you will see this is a very common issue. For me, even a simple empty net6 PublishSingleFile project is detected as a virus right now.

[Dunge]

Still today an installer packed with Velopack AND EV code signed is still detected as a trojan in VirusTotal by VBA32 as "
TrojanPSW.Rusty". That anti-virus company doesn't seem to be very trustworthy, but it triggers the VirusTotal (hence Cisco) scan and prevent my app to be used in secure environments. I know there's not much that can be done about this, but it's quite disappointing.