Today, I cloned the repo brittandeyoung/terraform-provider-awsteam, which consumes hc-install, then a few moment later I got the following netskope pop up on my computer.

I'm not what it's about but I wanted to give you a head up about it. This is the URL referenced in the screenshot:

storage.googleapis.com/proxy-golang-org-prod/1ac4e5eff70b71ce-github.com:hashicorp:hc-install-v0.6.1.zip

Hi @frek818
Thank you for the report.

The URL is presumably just a result of an implementation detail of the default Go proxy, i.e. it's where you eventually get redirected from https://proxy.golang.org/github.com/hashicorp/hc-install/@v/v0.6.1.zip as per the proxy protocol documented at https://go.dev/ref/mod#goproxy-protocol which is in turn used under the hood by go mod subcommands. I can confirm the URL matches one that I get when following the redirect myself.

Just to confirm - are you able to reproduce this by simply following that URL I linked above?

It surprises me that the screenshot indicates that the download was triggered by Google / Google Cloud Storage but that may just be some confusing wording in the message.

Could you share any more details about the software which flagged this as malware, so we can try to reproduce and investigate?

It's called NetSkope Client App. It's security software that my company installs. I believe it does many thing but one thing that I'm aware of is that it proxy/intercepts network traffic for inspection.

I get this error when I follow the link [https://proxy.golang.org/github.com/hashicorp/hc-install/@v/v0.6.1.zip].

I'm surprised too because I didn't execute any commands that would have download a zip file.

1. I forked brittandeyoung/terraform-provider-awsteam to frek818/terraform-provider-awsteam
2. Clone frek818/terraform-provider-awsteam
3. Setup an "upstream" remote to brittandeyoung/terraform-provider-awsteam
4. Fetch upstream.
5. Within a couple of minutes the alert popped up.

I figured it out what triggered it on my end. Some configuration in my neovim cause it to execute gopls.

Thank you for providing all the details.

I have asked our internal security team(s) for advice on this since I don't know what more I could do from here, given that the software does not have publicly available trial version that would help reproduce this.

Quick update: It's being triaged by the Security team. All I can say right now is that there is a number of vendors reporting this as malicious according to VirusTotal.

This does not necessarily imply either genuine nor false positive yet, just a piece of the puzzle for now. I will post here again once I know more.

@frek818 With the help of our security team we were able to pin point this down to two archives:

• https://github.com/hashicorp/hc-install/blob/main/releases/testdata/mock_terraform_builds/0.15.0-rc2/terraform_0.15.0-rc2_linux_amd64.zip
• https://github.com/hashicorp/hc-install/blob/main/releases/testdata/mock_terraform_builds/0.15.0-rc2/terraform_0.15.0-rc2_windows_amd64.zip

The binaries should contain nothing but a compiled version of this file using the relevant go.* files tracking dependencies. We also document how it was compiled in https://github.com/hashicorp/hc-install/tree/main/releases/testdata#how-to-generate-new-mock-terraform-builds, so feel free to compile the same code yourself and submit to VirusTotal.

I am hoping to get some more details once the same team performs some deeper analysis of those archives and source code. That should help us further understand why it's getting flagged.

@radeksimko , thanks for the information. Assuming that it turns out to be a false positive, it there a way for your team to get the false positive removed from the software that is flagging it?

Assuming that it turns out to be a false positive, it there a way for your team to get the false positive removed from the software that is flagging it?

I am not familiar with the process myself but yes it is ultimately the goal to avoid this from being flagged. I'm hoping to have some more updates next week.

Apologies for the delay. Here are some updates from my colleague on the security team:

there’s nothing you can do in cases like theses except report false positives to each anti-malware vendor flagging the binaries.

Their reasons for flagging something as “Sliver” for example can be pretty opaque in order to keep malware authors from working around their (sometimes flawed) heuristics.

I’ve statically and dynamically analyzed the hc-install binaries that were flagged on VT and did not find any malware in general or Sliver malware in particular. Both are written in Go and unfortunately may share some characteristics that anti-malware vendors have naively turned into a detection signature.

I will try to report the archives to the AV vendors where I can find a way to do it but in general it does not appear to be a straight-forward process with most, unfortunately. These are the ones I was able to find so that's where I will submit:

• Avast: https://www.avast.com/en-gb/false-positive-file-form.php
• AVG: https://www.avg.com/en-gb/false-positive-file-form
• Skyhigh (SWG): https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On_Prem)/Anti-malware_Filtering/How_to_submit_false_positive%2F%2Fnegative_samples_for_review

We have high enough confidence there is no malware and that these AVs are simply mis-classifying the archives.

@frek818 If you can find a process/email/form for Netskope I would be more than happy to submit it or have you submit it to them. Aside from that I'm afraid there isn't much more we can do here.

I have submitted requests to all AV vendors which flagged any version of hc-install as red in VirusTotal through contact methods I was able to find (contact form on the website or email). Some of them were prompt to respond, some have not acknowledged my request yet. Either way, there is far less "red" in all these reports and I'm hoping it will turn all green eventually:

• v0.6.2
• v0.6.1
• v0.6.0
• v0.5.2
• v0.5.1
• v0.5.0
• v0.4.0
• v0.3.2
• v0.3.1
• v0.3.0
• v0.2.0
• v0.1.0

As for Netskope, I contacted them at support@netskope.com and they responded with the following:

We would suggest to reach out to us via our customer/users who are encountering this issue.
We would need details of the reported account for further processing.
Please reach out to us via your customer who is utilising our product.

I have no more visibility into their process to even verify whether hc-install is being flagged and which version and I am not aware of any intentions of HashiCorp buying Netskope's security solution to be able to make reports directly.

Therefore you will have to follow-up with them I'm afraid @frek818

With all that in mind I'm going to close this as I believe I have done all I can here.