Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

package being detected as a virus #186

Open
aviramha opened this issue Jul 10, 2022 · 54 comments
Open

package being detected as a virus #186

aviramha opened this issue Jul 10, 2022 · 54 comments
Labels
question Further information is requested

Comments

@aviramha
Copy link

aviramha commented Jul 10, 2022

Note from the maintainer:

This package conditionally displays a friendly message when installed via npm.

The message appears only if the computer's locale timezone is set to one of the Russian timezones and politely advises users to seek reliable sources of truth regarding the war in Ukraine. The message is short and concise.

Note that it is not uncommon for npm packages to print some information upon installation. Hundreds of packages on npm do this: https://github.com/search?q=%22%5C%22postinstall%5C%22%22+language:json&type=code. Are they reported by any anti-virus software?

This post-install logic is not part of the package's core functionality. It does not affect how the package operates when used. If you rely on a prepackaged product that depends on this package, this logic is not included in your product.

At worst, this behavior could be considered protestware, but labeling it as dangerous to users is simply incorrect. If any anti-virus software flags this behavior, please report it to them, as this is a bug on their side that unnecessarily complicates your experience.


Original post:

We updated our version of es5-ext and faced an error when publishing to VS Code marketplace when they ran anti virus scan.
Checking it offline, we found out that VirusTotal started detecting the version with the manifest as a virus, hence forcing us to stay with last version before manifest.

I don't wish to get into the politics and decision - I believe this is entirely up to the package creator and maintainer to decide as it's their software, but opening this as a FYI.

@medikoo
Copy link
Owner

medikoo commented Jul 10, 2022

@aviramha there's no virus in this package. Please report the issue to the VS Code.


Added later:

I'll be happy to report this issue to any anti-virus or security service, yet I need precise instructions from you on where I can do it?

I'm not aware of any reports on my own (my work and my personal digital life are not affected by it).

Please post instructions as comments in this thread. Thank you!

@medikoo medikoo added the question Further information is requested label Jul 10, 2022
@aviramha
Copy link
Author

I know there's no virus. It's also not VS Code probably as more than 1 anti viruses detect it s a virus. I'd assume contacting each anti virus but I'm really pessimistic about Kaspersky not tagging this as a virus.

@aviramha
Copy link
Author

We emailed the marketplace team BTW, but given past experience, as written before I wouldn't hold my breath.

@medikoo
Copy link
Owner

medikoo commented Jul 10, 2022

@aviramha thanks for emailing them.

AFAIK it's Kaspersky (Russian anti-virus) that does this kind of thing, but it's also discouraged to rely on this antivirus now (many sources warn against using it). So I guess VS Code might have fallen in to trap of relying on it (or on the antivirus that uses its database).

They really should fix it.

@Rush
Copy link

Rush commented Jul 16, 2022

The problem is that this package is doing more than it advertises. It not only extends es5 with extra methods and shims, it also implements a "Call for peace" message. I think it's an unacceptable practice that slows done installation process.

https://github.com/medikoo/es5-ext/blob/main/_postinstall.js

I discovered it as yarn started printing that es5-ext is "building" while in fact it's processing the anti-war script.

Send more weapons to Ukraine and beat the Ruskis but do not pollute my dev environment. And I am saying this with a complete recognition that Russia is the warmonger.

@Rush
Copy link

Rush commented Jul 16, 2022

So the real reason this is a virus is that it's doing needless postinstall actions that depend on the location of the user. What next? If somebody is in Russia, maybe delete all of their files? How much more evil do Ruskis need to do for this to become OK?

@medikoo
Copy link
Owner

medikoo commented Jul 16, 2022

@Rush this package will never do more, than showing a simple message (manifest) if some installs it in Russia. Reasoning for that was elaborated extensively at #116, so let's not dive into unconstructive discussions here, this is not in the scope of this issue.

Repository owner deleted a comment from JarvisQJ Jul 19, 2022
@andrey-helldar
Copy link

andrey-helldar commented Jul 23, 2022

Kaspersky Anti-Virus also detects the package as a virus:

Event: Object deleted
Program name: node.exe
Program path: C:\Users\Helldar\AppData\Local\nvs\node\16.16.0\x64
Component: File Anti-Virus
Result Description: Removed
Type: Program that can harm
Name: Hoax.JS.ExtMsg.a
Accuracy: Precise
Threat Level: Medium
Object type: File
Object name: _postinstall.js
Object Path: D:\domains\volunteers\web\node_modules\es5-ext
MD5: CF2BB0D501167A2D3A0764227C3D7E16

Original:

Событие: Объект удален
Имя программы: node.exe
Путь к программе: C:\Users\Helldar\AppData\Local\nvs\node\16.16.0\x64
Компонент: Файловый Антивирус
Описание результата: Удалено
Тип: Программа, которая может нанести вред
Название: Hoax.JS.ExtMsg.a
Точность: Точно
Степень угрозы: Средняя
Тип объекта: Файл
Имя объекта: _postinstall.js
Путь к объекту: D:\domains\volunteers\web\node_modules\es5-ext
MD5: CF2BB0D501167A2D3A0764227C3D7E16

I think it's because of this text: https://github.com/medikoo/es5-ext/blob/main/_postinstall.js#L31-L72

Released in 0.10.54: 28de285

@medikoo
Copy link
Owner

medikoo commented Jul 25, 2022

@andrey-helldar yes, Kaspersky is Russian-based and no longer a credible anti-virus resource.

There's widespread advice to not rely on it anymore (e.g. https://www.komando.com/security-privacy/kaspersky-antivirus-dangers/830542/).

So if you're affected by the fact that Kaspersky reports this package, ensure to not rely on Kaspersky in the first place.

@medikoo
Copy link
Owner

medikoo commented Jul 26, 2022

Note that I will delete any off-topic responses.

The topic here is that some anti-virus software (such as Kaspersky) are reporting as if the package is containing a "virus" which is not the case. This package, in certain scenarios, just prints a short message on installation.

Respond only if you have information on other anti-virus software that reports it, or have success stories on removing dependency on that specific anti-virus software.

Repository owner deleted a comment from shamilsun Jul 26, 2022
Repository owner deleted a comment from Welleman Jul 26, 2022
@andrey-helldar
Copy link

andrey-helldar commented Jul 26, 2022

I would like to add on my own: there are two ways to solve the problem:

First way: to do this, go to the "Exceptions" section in the settings and add four entries:

  • Directory: <path_to_node.exe> (for me is %USERPROFILE%\AppData\Local\nvs\) (dir, not file) + Object Hoax.JS.ExtMsg.a
  • Directory: %USERPROFILE%\AppData\Roaming\npm-cache\ + Object Hoax.JS.ExtMsg.a
  • Directory: %USERPROFILE%\AppData\Local\node-gyp\ + Object Hoax.JS.ExtMsg.a
  • Directory of your sites. For me is D:\domains\ + Object Hoax.JS.ExtMsg.a

In all points, I selected "Scan area" - "everything" (*).

After that, the antivirus stopped responding to this error.

Second way: delete Kaspersky from PC.

PS: This file does not contain any virus, and the antivirus reacts because it belongs to a Russian company. In Russia, any anti-war statements are punishable by law. In addition, it has long been known that Kaspersky Anti-Virus works for the government.

@DigitalNaut
Copy link

Respond only if you have information on other anti-virus software that reports it, or have success stories on removing dependency on that specific anti-virus software.

I don't have any more information, just wanted to point out that all of the accounts that are downvoting you are very suspicious. Most don't even have more than 3 contributions. This is crazy.

@robert-gdv
Copy link

Sonatype starts flagging the library as "malicious". Sonatype Firewall therefore blocks it.

@robert-gdv
Copy link

Whitelisting the package is risky, because it would create a false negative, when this repo is e.g. hacked and really contains malicious code.

@medikoo
Copy link
Owner

medikoo commented Mar 26, 2024

@robert-gdv have you reported the issue to Sonatype? (there's nothing malicious about the package)

@robert-gdv
Copy link

Sonatype refuses to remove this issue from their malicious list

You're correct that the es5-ext package is being flagged as malicious due to the presence of a "political protest message" in the package. This is specifically found in the _postinstall.js file, which displays a message to users within specific time zones es5-ext/_postinstall.js at main · medikoo/es5-ext (github.com).

While this may not impact the running code, it's considered "malicious" because it performs an operation that was not intended by the users who installed the package. This falls under the category of "Unintended Behavior", which is a type of security vulnerability.

If you believe that this package is not malicious and is essential for your development, you have a couple of options:

  1. Use the Vulnerability Lookup: You can use the Vulnerability Lookup feature in the IQ Server to search for the specific vulnerability ID (sonatype-2022-2248). This will provide more details about why the package was flagged as malicious.
  2. Apply a Waiver: If you believe that the risk is acceptable for your specific use case, you can apply a waiver to this security vulnerability. This will allow you to use the package while acknowledging the risk.

Using the Waiver is a good solution in this case, because the ID sonatype-2022-2248 covers this issue with the packet. The Waiver would not hide other issues with this package.

@medikoo
Copy link
Owner

medikoo commented Mar 26, 2024

Thanks, @robert-gdv, for reaching out to Sonatype.

Interestingly, there are other packages that present welcome messages during installation, which are also not intended by users who install them (e.g., sponsorship ads). Yet, I never saw them being reported by anti-virus software.

Also, in this package case, it targets a specific group. It's not the noise that is presented to everyone.

@robert-gdv
Copy link

My request to Sonatype to remove this malicious flag was denied. I will not follow up on that. It is just not important enough.

Repository owner deleted a comment from scotty6435 Mar 26, 2024
Repository owner deleted a comment from PirateDigger Mar 27, 2024
Repository owner deleted a comment from pietrovismara Mar 27, 2024
Repository owner deleted a comment from pietrovismara Mar 27, 2024
Repository owner deleted a comment from zdravkogg-appgr8 Mar 28, 2024
Repository owner deleted a comment from PirateDigger Mar 28, 2024
@alexguevara
Copy link

alexguevara commented May 23, 2024

I'm unable to use Evernote because of this issue. Will obviously report about the problem to Evernote team.
The antivirus name is DrWeb which I've been using for more than 10 years now and very happy with it.
It's very concerning that political message, whatever that is, is making final products unusable. Can't it be removed?

@medikoo
Copy link
Owner

medikoo commented May 24, 2024

@alexguevara report at DrWeb, as this package doesn't do anything malicious that should be a concern. It just conditionally displays a friendly short message when you install it (not when you use it), and note that hundreds of other npm packages do the same. So marking this packing as dangerous is simply incorrect.

@scotty6435
Copy link

But the impact of the classification is that many people cannot use the module, are inconvenienced by false positive flags or have to take special actions to whitelist it on every system it runs on. This is a dumb hill to die on

@medikoo
Copy link
Owner

medikoo commented May 24, 2024

I've added extra explanation in top description

@scotty6435
Copy link

The problem is it's presence, not it's context

@PeterDaveHello
Copy link

@medikoo not sure if you'd like to lock this issue as there's no more helpful discussion.

Repository owner deleted a comment from sgliser Jul 30, 2024
Repository owner deleted a comment from gritaro Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests