-
-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hello world and anything detected by global check (virustotal) #866
Comments
test with garble -tiny build |
test with go build + strip --strip-all |
what is the complete command for the "strip" option? |
I think strip --strip-all or we can use sstrip |
This is absolutely normal for the binary to be detected as a malware after obfuscation. Malware developers always obfuscate their binary in the same way as garble to protect their malwares. |
i have tried with a regular binary, no obfuscation and it works fine. but garble and defender dont like it. |
If someone wants to investigate how to avoid issues with common antivirus software, you're welcome to post your findings here or send patches. I don't have an interest in looking into this. My only guess is that the Go runtime has a lot of dangerous-looking code due to the nature of what it does, and it's likely that antivirus products know to whitelist it to prevent false positives with Go programs. Once a Go program is obfuscated, that sort of special treatment is likely not present. |
Fast check. With compiler pathes: https://www.virustotal.com/gui/file/db46d0680b87e8eb5682828971750e5be6fecbc2b1b1341589667fc030e3b5c1?nocache=1 No difference on virustotal, but I have Windows Defender and it blocked me from using garble with compiler patches: |
What is the command line for the compiler patch ? Thank you for your response. |
This is an imposible thing to fix for the simple reason that terrible people are using your wonderful code to obsficate terrible things. If you change the signature of how you obsfucate, then the next generation of terrible tools by terrible people will evade detection for a short time until the new signature eventually ends up in malware databases and you will be back where you started. I believe this something all obsfucation projects must live with. |
Currently gable doesn't have that key, only way is manually modify garble sources - https://github.com/burrowers/garble/blob/master/main.go#L465
Agree, I think we can solve this problem using non-software methods (KYC, cooperation with antivirus companies, etc.), but this is definitely not implementable with an open source project that can be used by anyone. |
What version of Garble and Go are you using?
What environment are you running Garble on?
go env
OutputWhat did you do?
What did you expect to see?
its clear
What did you see instead?
www.virustotal.com/gui/file/49ff8d1a0fa0373fd5b2eb3bf13af8ad48f7a186dc6b5b9e3358ae37e1dc6223
Ask to add
can we make GoReSym hidden?
The text was updated successfully, but these errors were encountered: