did someone get a pkg file created using fleetctl package as

Question

did someone get a pkg file created using fleetctl package as malware Probably a false positive but this could cause problems in some deployment

spookerlabs · Answer

Google drive triggered pt BR sorry

spookerlabs · Answer

And sent to virus total and Ikarus alerted `Trojan OSX Trojanproxy`

zwass · Answer

Yes I ve seen similar there s no information available from Google or Ikarus as to why they detect it as a problem

zwass · Answer

Maybe they don t like our launchd config

spookerlabs · Answer

Thanks for answering I ll try to figure out something

zwass · Answer

I discovered that it s the Orbit binary itself that triggers Ikarus AV A newly built Orbit binary does not trigger no false positives I then thought it might be because the Orbit binary we currently ship is built with 1 16 2 which has a <https www cvedetails com cve CVE 2021 36221 |CVE related to the ReverseProxy code> which we use but only in the ` insecure` option I tried building with 1 16 8 which has a fix for that CVE and I still get a false positive So I m pretty confident there s nothing wrong with Orbit and the false positive is due to Ikarus and the Go 1 16 builds When we publish the new release with Go 1 17 things should be resolved

zwass · Answer

I see the same behavior with Google Drive Using the same source code an Orbit binary built with go1 16 8 gives an error about containing a virus while go1 17 2 is fine Drive still warns about downloading an executable file

spookerlabs · Answer

Great thanks