"Cortex XDR has blocked a malicious activity! " when running Go binary

[Rusco]

On Win10 I get this Antivirus message and can not get runnig my .exe on my company notebook. 

This is the binary, the only import is "fmt" : 

https://go.dev/play/p/GIUnvHMUJec?v=gotip

I checked antivirus diagnostics tools and found this:

https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection

https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community

https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1

So this is probably due to "suspicious LazyDLL loading in Golang binaries". 

Where is this Lazy DLL loading going on, in the runtime ?

Is there a way to avoid this, to make it static for example ?

I wonder why there a not more complaints about antivirus blocking of Go binaries.

I never came across such blocking in my Rust binaries.

Any hints welcome

Rusco

[Brian Candler]

https://go.dev/doc/faq#virus

[Nugraha]

On 2022/3/9 23:37, Brian Candler wrote:
> https://go.dev/doc/faq#virus
>
> On Wednesday, 9 March 2022 at 11:14:47 UTC Rusco wrote:
>
> On Win10 I get this Antivirus message and can not get runnig my .exe
> on my company notebook.
>
> This is the binary, the only import is "fmt" :
> https://go.dev/play/p/GIUnvHMUJec?v=gotip
> <https://go.dev/play/p/GIUnvHMUJec?v=gotip>
>
> I checked antivirus diagnostics tools and found this:
>
> https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection

> <https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection>
> https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community
> <https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community>
> https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1

> <https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1>
>
> So this is probably due to "suspicious LazyDLL loading in Golang
> binaries".
> Where is this Lazy DLL loading going on, in the runtime ?

LoadLibraryA, LoadLibraryW is used by syscall and runtime package
https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/syscall_windows.go
at syscall_loadsystemlibrary, syscall_loadlibrary

and on
https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/os_windows.go
at windowsLoadSystemLib, loadOptionalSyscalls

> Is there a way to avoid this, to make it static for example ?

No

>
> I wonder why there a not more complaints about antivirus blocking of
> Go binaries.
> I never came across such blocking in my Rust binaries.
>
>
> Any hints welcome
> Rusco
>
>
>
>
>
>

> --
> You received this message because you are subscribed to the Google
> Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to golang-nuts...@googlegroups.com
> <mailto:golang-nuts...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com
> <https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com?utm_medium=email&utm_source=footer>.

[Rusco]

I actually found an (ugly) workaround which works for my Antivirus Software: 

Importing "C" helps, it probably  changes the structure of the binaries created: 

import (

    "C"

    "fmt"

)

I actually came across this when I noticed that all binaries where I imported the "github.com/mattn/go-sqlite3" run fine.

 I let here for the record, it might help others with the same issue.