Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 20H2 report Atosev!ml & Presenoker #2095

Closed
2 tasks done
jonozw opened this issue Nov 23, 2020 · 32 comments
Closed
2 tasks done

Windows 20H2 report Atosev!ml & Presenoker #2095

jonozw opened this issue Nov 23, 2020 · 32 comments
Labels
lifecycle/stale

Comments

@jonozw
Copy link

jonozw commented Nov 23, 2020

[REQUIRED] hat version of frp are you using

Version: 0.34 frpc

[REQUIRED] What operating system and processor architecture are you using
OS: Win
CPU architecture: Intel X64

[REQUIRED] description of errors
Windows 20H2 report Atosev!ml & Presenoker

confile

NA
log file

NA

Steps to reproduce the issue

  1. NA

Supplementary information
NA
Can you guess what caused this issue
NA

Checklist:

  • I included all information required in the sections above
  • I made sure there are no duplicates of this report (Use Search)
@jonozw
Copy link
Author

jonozw commented Nov 23, 2020

sorry, mis report

The answer is here:
#1204

@rffanlab
Copy link

Same err.And I'm deleted.

@lss4 lss4 mentioned this issue Nov 23, 2020
Closed
@fatedier fatedier mentioned this issue Nov 24, 2020
Closed
@fatedier fatedier pinned this issue Nov 24, 2020
@fatedier
Copy link
Owner

I'm not sure what i can do to solve it since maybe it caused by golang.

The reason is here #1204 (comment) .

If anyone have a solution to avoid this problem?

@fatedier fatedier mentioned this issue Nov 25, 2020
Closed
@zsinba
Copy link

zsinba commented Nov 26, 2020

识别病毒是根据特征码的, 特征码的生成是每个杀毒软件的独门。
@fatedier 尝试下是否有可能修改软件的特征码,魔数。

@cnwangjihe
Copy link

Files can be manually submitted to here to report an incorrect detection.
a

But it might require doing so when every new version releases.
And since the situation shown on virustotal, maybe the files should also be submitted to other anti-virus software.

@fatedier
Copy link
Owner

@cnwangjihe Great! Thanks for you help.

This was referenced Dec 24, 2020
Closed
Closed
@zsinba
Copy link

zsinba commented Dec 26, 2020

服务端被阿里云识别为黑客工具。

@NewFuture
Copy link

似乎和go版本有关,旧点版本正常

@Becods Becods mentioned this issue Jan 6, 2021
Closed
@mylylyl
Copy link

mylylyl commented Jan 25, 2021

same for 0.35.0 amd64 binary.

@NewFuture
Copy link

可能是交叉编译套壳的问题,用windows下go编译的使用和下载没用检测病毒的提示

@zsinba
Copy link

zsinba commented Feb 2, 2021

可能是交叉编译套壳的问题,用windows下go编译的使用和下载没用检测病毒的提示
不应该呀. 不管是Win下面还是Linux下面编译,都是同样的生成bin文件 没有套壳呀.
提交到第三方检测网站试试看.

@NewFuture
Copy link

@zsinba
这个windows编译版,检测报告,
https://www.virustotal.com/gui/file/cb8eeea742b5ab61a1f4cd4394d9ee894766177c4fa4d429f8802a153421b83b/detection
有三个检测出FastReverseProxy 风险(Symantec 和 ESET 已经直接把FRP记录到黑名单了🤦‍);
本地可以通过严格的Windows Defender 扫描. 没报蠕虫或木马的特征.

@zsinba
Copy link

zsinba commented Feb 2, 2021

@zsinba
这个windows编译版,检测报告,
https://www.virustotal.com/gui/file/cb8eeea742b5ab61a1f4cd4394d9ee894766177c4fa4d429f8802a153421b83b/detection
有三个检测出FastReverseProxy 风险(Symantec 和 ESET 已经直接把FRP记录到黑名单了🤦‍);
本地可以通过严格的Windows Defender 扫描. 没报蠕虫或木马的特征.

我觉得你说的不对。
我在Linux下面编译的,刚一分钟前编译的最新版本。
https://www.virustotal.com/gui/file/3194ff7339b5fa5f7f494e648c96d51515277d771ca385137f6083eebcef21aa/detection
上去检测,只有两个报告。
赛门铁克都没报。这不能说明编译机不一样,检测结果 就不一样。
Go编译编译出来 的二进制 文件,”我猜想“是不会加壳的,它只是交叉编译链而已,编译出来 的东西应该是一样的。
image

@zsinba
Copy link

zsinba commented Feb 2, 2021

刚才上传的是64位版本的windows
现在上传的是32位的版本
image

检测结果竟然还不一样。
https://www.virustotal.com/gui/file/9a70bf529d3d776adb131714decc7bc08b0541e992044ca3972370d817e4a9dc/detection

@NewFuture
Copy link

@zsinba 直接upload 里面的frpc.exe 扫描一下 Symantec 可能就会报了。

对比看 linux编译的确实会被 Windows Defender 标记出来 ,(ESET 也标记了多个)。

@zsinba
Copy link

zsinba commented Feb 2, 2021

这个是上传frps
image

https://www.virustotal.com/gui/file/bce9092a05dc80b49178e88c8d3df818c6287a315e06abe2a82f0cd5f3b65196/detection

@zsinba
Copy link

zsinba commented Feb 2, 2021

这是上传的frpc
image
https://www.virustotal.com/gui/file/f44391a69823f2efee12084ba86a410cd7b2519d10a23f3c6cf02bb13fa4b8e4/detection
跟你在windows下面编译的,看起来没有任何区别。

@NewFuture
Copy link

@zsinba 这个exe 似乎通过了Windows defender 的扫描。

为什么ZIP包会有这个 image

@zsinba
Copy link

zsinba commented Feb 2, 2021

image
这不是ZIP包,我直接上传的FRPC的EXE文件。

@zsinba 这个exe 似乎通过了Windows defender 的扫描。

为什么ZIP包会有这个 image

@zsinba
Copy link

zsinba commented Feb 2, 2021

我觉得问题不在这, 杀毒软件通过特征码来判定是否是特征库里的文件。
应该是FRP的某个特征码已经固定了,无论怎么打包,都是一样的结果 。
除非 找到特征码的那部分改掉。

从另一方面说,报病毒也没什么,加入白名单就行。 这个本来就是当反向代理用的。 杀毒软件 报这个也是为了用户安全,不然用户的电脑 端口暴漏了,自己也不清楚。
特别是在服务器上面使用FRPC的时候,本来是很安全的服务器,直接暴漏一个端口出来 ,增加了风险。

@sxu55
Copy link

sxu55 commented Feb 5, 2021

联系了ESET的病毒分析处,他们说就是因为发现frp有被黑客利用的迹象所以报毒。所以最初报hacktool,后来上报之后改成报riskware

@jonozw
Copy link
Author

jonozw commented Feb 7, 2021

联系了ESET的病毒分析处,他们说就是因为发现frp有被黑客利用的迹象所以报毒。所以最初报hacktool,后来上报之后改成报riskware

这理由, 服了
把Windows, Linux, MacOS都删了吧, 99.99%的黑客用的都是这几个操作系统

@sxu55
Copy link

sxu55 commented Feb 7, 2021

联系了ESET的病毒分析处,他们说就是因为发现frp有被黑客利用的迹象所以报毒。所以最初报hacktool,后来上报之后改成报riskware

这理由, 服了
把Windows, Linux, MacOS都删了吧, 99.99%的黑客用的都是这几个操作系统

这个并不是没有发生过,putty都曾被当hacktool杀过
估计主要还是因为frp名气不是很大,否则厂商查杀会更小心一点。现阶段还是叫frp用户自己排除比较好。其实这个binary最早应该是eset开始查杀的,后来其他厂商看到eset杀就全部跟进了。我一直在观测查杀情况,看到这个雪球越滚越大心情着实复杂……

@fatedier
Copy link
Owner

fatedier commented Feb 7, 2021

@sxu55 非常感谢帮忙跟踪这个问题,被黑客利用确实是一个问题,杀毒厂商和云服务商从出于用户安全的角度来说,对小白用户确实可能可以起到一定的保护作用。

我们能做的可能是将 Release 二进制的 MD5 同步上传,用户主动下载后自行校验,之后加入白名单。

@sxu55
Copy link

sxu55 commented Feb 7, 2021

我们能做的可能是将 Release 二进制的 MD5 同步上传,用户主动下载后自行校验,之后加入白名单。

对的,我认为这是最有效率的做法

@github-actions
Copy link

Issues go stale after 45d of inactivity. Stale issues rot after an additional 10d of inactivity and eventually close.

@github-actions github-actions bot closed this as completed Apr 4, 2021
@Becods Becods mentioned this issue Apr 4, 2021
Closed
This was referenced Jan 21, 2022
Closed
Closed
Closed
Closed
@Becods Becods mentioned this issue Feb 4, 2022
Closed
11 tasks
@xqzr xqzr mentioned this issue Mar 20, 2022
Closed
11 tasks
@xqzr xqzr mentioned this issue Apr 20, 2022
Closed
11 tasks
@koho koho mentioned this issue May 12, 2022
Closed
This was referenced Jun 3, 2022
Closed
Closed
@fuyoo fuyoo mentioned this issue Jul 28, 2022
Closed
11 tasks
This was referenced Oct 17, 2022
Closed
Closed
@xxl4
Copy link

xxl4 commented Jan 6, 2023

前面我们没有在意报病毒,安装到一台内网的机器中了后,也有可能win2019 3389也可能有问题,结果一台机器的数据全部被加密了。

@zsinba
Copy link

zsinba commented Jan 13, 2023

image

下载直接 被系统拒了。

@Becods Becods mentioned this issue Jan 26, 2023
Closed
11 tasks
@gzelvis
Copy link

gzelvis commented Jan 31, 2023

我根本下载都不能,不是给Edge或者Chrome打断,就是一下载来本地磁盘立刻被windows给隔离删除了。。。怎么搞

@zsinba
Copy link

zsinba commented Jan 31, 2023

不用。

@LXT2017

This comment was marked as off-topic.

Sign in to view
@zsinba

This comment was marked as off-topic.

Sign in to view
Repository owner deleted a comment from LXT2017 Feb 26, 2023
Repository owner locked as resolved and limited conversation to collaborators Feb 26, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests