Title
#fleet
spookerlabs

spookerlabs

12/07/2021, 7:58 PM
did someone get a pkg file created using fleetctl package as malware ? Probably a false positive but this could cause problems in some deployment.
7:58 PM
Google drive triggered (pt_BR sorry)
7:59 PM
7:59 PM
And sent to virus total and Ikarus alerted
Trojan.OSX.Trojanproxy
zwass

zwass

12/07/2021, 8:00 PM
Yes I've seen similar -- there's no information available from Google or Ikarus as to why they detect it as a problem.
spookerlabs

spookerlabs

12/07/2021, 8:03 PM
zwass

zwass

12/07/2021, 8:21 PM
Maybe they don't like our launchd config?
spookerlabs

spookerlabs

12/07/2021, 11:53 PM
Thanks for answering. I'll try to figure out something
zwass

zwass

12/08/2021, 9:24 PM
I discovered that it's the Orbit binary itself that triggers Ikarus AV. A newly built Orbit binary does not trigger (no false positives). I then thought it might be because the Orbit binary we currently ship is built with 1.16.2 which has a CVE related to the ReverseProxy code (which we use, but only in the
--insecure
option). I tried building with 1.16.8 which has a fix for that CVE and I still get a false positive. So I'm pretty confident there's nothing wrong with Orbit and the false positive is due to Ikarus and the Go 1.16 builds. When we publish the new release with Go 1.17 things should be resolved.
9:38 PM
I see the same behavior with Google Drive. Using the same source code, an Orbit binary built with go1.16.8 gives an error about containing a virus, while go1.17.2 is fine (Drive still warns about downloading an executable file).
spookerlabs

spookerlabs

12/09/2021, 1:10 PM
Great! thanks !