Giters

h2non / filetype

Fast, dependency-free Go package to infer binary file types based on the magic numbers header signature

Home Page:https://pkg.go.dev/github.com/h2non/filetype?tab=doc

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

sample.dex file triggering antivirus engines :/

darkvertex opened this issue · comments

commented

I just had an awkward situation trying to go get a tool that used this module from my work laptop and the corporate cybersecurity solution (Fortinet Forticlient Antivirus) tripped on the sample.dex telling me it thinks it's some kind of Android trojan:

image

VirusTotal also reports positives from several other AV engines:
https://www.virustotal.com/gui/file/8995adc809fd239ecd2806c6957ee98db6eb06b64dac55089644014d87e6f956/detection

That said, I don't believe you meant harm or are trying to sneak in trojans to the world though. This looks like an unfortunate case of a suspicious file that made it into the unit tests suite; that is all.

I saw it was added by a commit from @mikusjelly but where did they get the file from? In any case, do you think it could be possible to swap it for another .dex that is not flagged as highly suspicious? -- If you upload the new .dex to virustotal.com for a scan and if it comes out totally clean then it's good for the repo.

What do you think?

ps: I emailed Fortinet to report it as a possible false positive and they came back to me with:

The sample contains suspicious codes that are related to the SMS service, purchase interface, payment, bill, China Mobile, China Unicom, and China Telecommunications Corporation.
The class names and function names are all simply obfuscated, and it also involved the "android.provider.Telephony.SMS_RECEIVED" and "android.provider.Telephony.SMS_DELIVER" as part of the suspicious behaviors.

commented

Thanks for reporting this. This seems like an unfortunate false positive.
I don't see any solid argument in their response that holds a funded reason to believe there is malicious executable code there, besides it's requesting to use certain OS access permissions.
Anyway, I don't mind deleting the file, it's just a fixture at the end.

commented

Alright, the user who committed that file has recently deleted its account. Hard to believe it's a coincidence, so I have deleted the file and will push a new release soon.

commented

Both fixtures committed by this user were deleted and a new tag release was pushed: v1.1.1.