Work-around antivirus false positives

[yan12125]

There are two program in recent zipped releases. The main program is fine, while somehow the CLI wrapper is incorrectly marked by many antivirus software:
https://www.virustotal.com/gui/file/7988a764b9dbb7b066ef41fc1a3d4db16b5c3c2a28da937c2f428b2e927b4a1f/relations

The CLI wrapper is for usage in the terminal only (#193 (comment)), so a possible workaround is providing alternative zipped releases without the CLI wrapper. What do you think?

[Martchus]

It would be possible but I'd rather keep them in one archive as the CLI is not self contained and there are already enough downloads to choose from. It seems rather random what gets detected in general so this improvement would maybe not even be useful anymore on the next release.

[yan12125]

Okay, no problem.

[yan12125]

As a record, updated installation script using pkg.tar.zst passed virus scanning.

[Martchus]

Looks like that's only using the Qt 5 based version, though. I highly recommend using the Qt 6 based version unless one is using Windows 8 (or even older). I only provide the Qt 5 based versions for the sake of compatibility with older Windows versions anymore.

[yan12125]

Oops, good catch. Thank you very much for reviewing. I will update it when I'm back to my Windows machine.

There was indeed a call for Windows 7 [1]. I noticied it long after the comment is created, though.

[1] https://community.chocolatey.org/packages/syncthingtray/1.4.4#comment-5699359274

Update 2023/07/26: I switched back to the Qt6-based tarball, and the updated Chocolatey package is now queued for automatic validation.

[titro]

unfortunately 1.4.5 is marked as Virus again from Windows AV...:-(

[yan12125]

It would be possible but I'd rather keep them in one archive as the CLI is not self contained and there are already enough downloads to choose from.

Could you reconsider this? The pkg.tar.zst trick is now rejected during a manual review for the Chocolatey package [1]. I don't have another idea on how I can keep the Chocolatey package up-to-date without upstream changes.

A better approach than my original proposal might be creating another pkg.tar.zst package without the CLI wrapper, besides the current one. Zip files in the GitHub download section are still created from the current pkg.tar.zst package, which comes with the CLI wrapper, so nothing is changed for end users.

It seems rather random what gets detected in general so this improvement would maybe not even be useful anymore on the next release.

It may not be that random. The CLI wrapper is introduced in syncthingtray 1.4.2, and the number of false virus alarms goes from 0 to 30 also in 1.4.2:

• 1.4.2: 30 detections https://www.virustotal.com/gui/file/a28347c28ab5c16a72e365f0ff9169a7f8b24ebb09d6605422becabbd33c6c08/relations
• 1.4.1: 0 detections https://www.virustotal.com/gui/file/b6cab74ca6c6715ac9f45e42398713d09c7e7ecdff11a0965855c1f314525f26/relations

And the number of false alarms remains high for all of 1.4.2~1.4.7.

[1] https://community.chocolatey.org/packages/syncthingtray/1.4.6 - see the latest comment by Windos

[Martchus]

A better approach than my original proposal might be creating another pkg.tar.zst package without the CLI wrapper, besides the current one. Zip files in the GitHub download section are still created from the current pkg.tar.zst package, which comes with the CLI wrapper, so nothing is changed for end users.

I could split this up on my end but it complicates things. Maybe I'll do it when I have the time. You can of course also just do this on your end as noone prevents you from creating an archive and host it somewhere :-)

---

It may not be that random.

I still consider it kind of random in the sense that these anti virus programms just tell me this executable is bad but not really why. They don't point out what actually is bad about it. They just frame harmless applications randomly as "bad".

---

Ideally you would follow one of two options:

1. Abandon usage of software that frames other more useful software as bad. I highly recommend that.
2. Fix the anti virus software, e.g. open an issue on their bug tracker or follow some kind of process for reporting false positives.

By the way, the code of the wrapper is https://github.com/Martchus/cpp-utilities/blob/master/cmake/templates/cli-wrapper.cpp. It is built with the latest GCC using the latest version of libstdc++. That's all and pretty standard. Anti virus software considering this a virus must be a pretty crappy piece of software - that's why I'd recomment option 1.

[yan12125]

I could split this up on my end but it complicates things. Maybe I'll do it when I have the time. You can of course also just do this on your end as noone prevents you from creating an archive and host it somewhere :-)

I prefer to avoid third-party binary hosting as that can bring concerns around trustworthiness. For example, there was a question about whether ftp.f3l.de is good or not [1].

Is a new package just a matter of maintaining PKGBUILDs or some manual operations are required? I can submit pull requests to https://github.com/Martchus/PKGBUILDs for future syncthingtray versions if you wish.

I still consider it kind of random in the sense that these anti virus programms just tell me this executable is bad but not really why. They don't point out what actually is bad about it. They just frame harmless applications randomly as "bad".

I would probably say anitivirus programs are consistently broken instead of random.

Abandon usage of software that frames other more useful software as bad. I highly recommend that.

It is unlikely Chocolatey community will drop "virus scan" from automatic package moderation process. I'm not sure if there is a way to move away from antivirus software without dropping the Chocolatey package altogether.

[1] https://gitlab.com/yan12125/chocolatey-packages/-/issues/3

[Martchus]

I prefer to avoid third-party binary hosting as that can bring concerns around trustworthiness. For example, there was a question about whether ftp.f3l.de is good or not [1].

All packages are signed so it should be pretty easy to validate whether they come from me regardless where they are hosted.

Is a new package just a matter of maintaining PKGBUILDs or some manual operations are required? I can submit pull requests to https://github.com/Martchus/PKGBUILDs for future syncthingtray versions if you wish.

The biggest problem with creating an additional PKGBUILD is that I need to build it and my server is slow/busy enough as it is. So I would really like to avoid building things twice. It would be possible to make a split package so that the existing PKGBUILD would produce multiple archives. However, I would prefer to avoid this additional complexity on that level as it would mean even more different archives and additional logic in my script to make the zip archive.

I would probably say anitivirus programs are consistently broken instead of random.

Ok, I guess saying that makes sense :-)

It is unlikely Chocolatey community will drop "virus scan" from automatic package moderation process. I'm not sure if there is a way to move away from antivirus software without dropping the Chocolatey package altogether.

I guess there could still be improvements in the workflow. One could make exceptions for instance. If an anti virus scanner clearly does a bad job it shouldn't be considered a source of truth. Or one could make the check only on the resulting Chocolatey package instead of checking everything in the upstream archive. Note that you can always build Syncthing Tray from sources. Me as the author of Syncthing Tray would also encourage that because it helps uncovering build system issues.

[Martchus]

I could also provide the CLI wrappers in a different zip file. That would be easy to implement but then I'd end up with even more files in the GitHub release section so that would also not be ideal.

[yan12125]

Thank you very much. I think I fully understand your concerns around adding/changing tarballs. I will try creating my own package and then contact Chocolatey moderators.

My first idea is forking this repo, adding a GitHub Actions pipeline to repackage https://github.com/Martchus/syncthingtray/releases/download/vx.y.z/syncthingtray-x.y.z-x86_64-w64-mingw32.exe.zip without the CLI wrapper. The exe binary remains the same as the one built on your server, so hopefully this change will not increase your burden on supporting Windows.

I guess there could still be improvements in the workflow.

Yes, this makes sense.

[yan12125]

As a record, I created a GitLab CI job for repackaging [1][2], and the result is now under moderation by Chocolatey contributors [3].
[1] https://gitlab.com/yan12125/chocolatey-packages/-/blob/main/.gitlab-ci.yml?ref_type=heads
[2] https://gitlab.com/yan12125/chocolatey-packages/-/blob/main/syncthingtray/repackage.py?ref_type=heads
[3] https://community.chocolatey.org/packages/syncthingtray/1.4.7

[TomLucidor]

Brave browser has the same issue as well refusing to download

[Martchus]

Ok, but I guess that doesn't really change what I can do about it. If Brave browser is framing my application as harmful you need to tell them on their issue tracker about the false positive; not me because I cannot help improving that browser obviously.