-
-
Notifications
You must be signed in to change notification settings - Fork 13.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature Request] Add FRP antivirus note to documentation/README, maybe make FRP more visible on windows. #3637
Comments
Can you commit a PR to update the README? |
Hi, @fatedier, can you give the reports a closer look? Apparently some features offered by FRP also made it a good tool for by hackers to facilitate actual attacks. While changing the README is necessary to make users aware of the anti-virus situation before download/deploy, fundamentally something has to be changed in order to make this software less useful for attackers. Showing an icon in the Windows system tray could be useful, but I'm afraid not to the degree that we might have hoped, since the analysis hosted on IBM X-Force Exchange suggested that the attacker might deploy their own fork of FRP with it's source code modified to help with their attacks. This in turn suggests that the attacker might also just remove whatever stinker code you put into FRP. Maybe you can ship two versions? One open sourced one with limited forwarding capabilities (can only proxy specific protocols such as HTTP/HTTPS/FTP etc), and a close-sourced one with capability of relaying arbitrary TCP/UDP connections under numbers of hard restrictions (for example, hardcoded destination/port allowlist/blocklist). Maybe you can also sell the close-sourced one for a profit too, which might help improve the personal situation that you've mentioned in the README file. |
The reason for detections is that reverse proxies are used to bypass firewalls/port restrictions (whether that be for legitimate or malicious reasons). Reverse proxies are the core feature of frp, so I don't think it is possible/realistic to reduce the usefulness to malware by removing features. I don't think the protocols matter; malware can easily switch and its a huge restriction for users. With regards to forking/modifications, forcing malware authors to modify the program allows antivirus to flag the modification rather than the whole program. Beyond that, code signing/certification could be used to stop the files from being modified. I'm not sure it is worth trying too hard to remove detection/appease AV via modifications, as AV vendors probably will not care. If I were managing a company's computers/network, I would prefer that these tools be flagged and require approval from admin/IT for use, which is probably the mindset the AV vendors have here. The fact that some AVs already mark it as not-a-virus shows that they know it is not malware but still wish to restrict it anyway due to its capabilities. For the English readme update, I added a small addition to the examples (installation) section informing users about the problem. I linked this issue if people want further information. I guess the issue can remain open after the readme change if the maintainers think more discussions/improvements can be done. Two improvements I like are:
I might try to do # 2 (will make a new issue if I do). |
I understand the thinking, but I couldn't agree with the conclusion, since there are other reverse proxies out there, and antivirus software is giving them a complete different treatment. For example, All of those are reverse proxies, Inlets Pro even allows you to self-host, just like FRP. So what is the different that made FRP (and NPS actually) a target? Or, to put it into other words, why hackers used FRP, not Inlets or |
Or, to put it into other words, why hackers used FRP, not Inlets or cloudflared or ngrok or even just good old socat? Well, because frp is smaller, faster and easier to deploy. And it's basically freeware, ngrok is commercial and they will file lawsuits if they mark it as malicious, because it will END the company in one day. It's all about corporate mentality. Anyway this AV issue will never go away. The only solution/workaround I found for this is by using a (rather convolute) WSL2 approach i.e. run frpc/frps into this Linux layer they built into Windows. 100% legit. P.S. Anti-viruses and "security softwares" are the NEW SOFTWARE MAFIA/MOB. |
@Wyk72 , I tried to run frpc in WSL2 using latest 0.53.2_linux_amd64, but when I run frpc, it tells me : |
Describe the feature request
FRP is a reverse proxy, which has good uses, but is also useful for getting past firewalls and security.
There are reports of malware using FRP to communicate so that they are not as easily identified:
On a VirusTotal scan, you can see from the naming that some antiviruses are simply detecting it because of the utility for malware even though the antivirus vendors know it is not malware.
etc.
Because of this, I doubt that it will stop being detected, and the likely best outcome is FRP still getting detected but marked as Not-a-virus, HackTool, Riskware, etc. so that users are not scared.
The documentation/readme should mention this in order to avoid confusion, particularly for windows users.
Maybe visibility on windows could also be increased, but it might make it uglier/be a distraction. For example, an icon could appear in the system tray or taskbar when FRPC is running, which would make malware authors more likely to avoid using it.
Describe alternatives you've considered
No response
Affected area
The text was updated successfully, but these errors were encountered: