did someone get a pkg file created using fleetctl package as osquery #fleet

did someone get a pkg file created using fleetctl ...

spookerlabs

12/07/2021, 7:58 PM

did someone get a pkg file created using fleetctl package as malware ? Probably a false positive but this could cause problems in some deployment.

spookerlabs

12/07/2021, 7:58 PM

Google drive triggered (pt_BR sorry)

spookerlabs

12/07/2021, 7:59 PM

spookerlabs

12/07/2021, 7:59 PM

And sent to virus total and Ikarus alerted

Trojan.OSX.Trojanproxy

zwass

12/07/2021, 8:00 PM

Yes I've seen similar -- there's no information available from Google or Ikarus as to why they detect it as a problem.

spookerlabs

12/07/2021, 8:03 PM

zwass

12/07/2021, 8:21 PM

Maybe they don't like our launchd config?

spookerlabs

12/07/2021, 11:53 PM

Thanks for answering. I'll try to figure out something

zwass

12/08/2021, 9:24 PM

I discovered that it's the Orbit binary itself that triggers Ikarus AV. A newly built Orbit binary does not trigger (no false positives). I then thought it might be because the Orbit binary we currently ship is built with 1.16.2 which has a CVE related to the ReverseProxy code (which we use, but only in the

--insecure

option). I tried building with 1.16.8 which has a fix for that CVE and I still get a false positive. So I'm pretty confident there's nothing wrong with Orbit and the false positive is due to Ikarus and the Go 1.16 builds. When we publish the new release with Go 1.17 things should be resolved.

zwass

12/08/2021, 9:38 PM

I see the same behavior with Google Drive. Using the same source code, an Orbit binary built with go1.16.8 gives an error about containing a virus, while go1.17.2 is fine (Drive still warns about downloading an executable file).

spookerlabs

12/09/2021, 1:10 PM

Great! thanks !

8 Views

Open in Slack

Previous Next