Virus detection issues on Windows/386 binaries built with -ldflags -s -w

1127 views
Skip to first unread message

ajstarks

unread,
Feb 11, 2020, 11:15:30 PM2/11/20
to golang-nuts
When building Windows binaries for pdfdeck [1] (https://github.com/ajstarks/deck/tree/master/cmd/pdfdeckI noticed that the binary generated with on linux with:

GOOS=windows GOARCH=386 go build -ldflags="-s -w" -o windows-386-pdfdeck.exe github.com/ajstarks/deck/cmd/pdfdeck

will cause the Windows 10 Defender virus detection to think the binary is infected with Trojan:Win32/Wacatac.C!ml

simply removing the -ldflags builds a binary that runs with no issues.  Has anyone else seen this?  

andrey mirtchovski

unread,
Feb 11, 2020, 11:30:48 PM2/11/20
to ajstarks, golang-nuts
you can find similar detections on virustotal. unfortunately it looks
like a false positive:

https://www.virustotal.com/gui/file/93eb448cedd4b4355065a4f9193d8548b02bc56ed5ba9e774095f9ab3da46227/detection

there are members of this community working for microsoft, perhaps
they'll have an avenue that will allow their engine to avoid a false
positive on go code. not sure if they have an open channel to address
this.
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/67837c19-9d19-4976-8b12-44a7b8fedf6d%40googlegroups.com.

andrey mirtchovski

unread,
Feb 11, 2020, 11:33:02 PM2/11/20
to ajstarks, golang-nuts
sorry, wanted to add: submit your file to VT and see if it triggers a
detection there (like in my link it is most likely that only the MS
engine will detect it). then you have a case to argue.

ajstarks

unread,
Feb 11, 2020, 11:50:37 PM2/11/20
to golang-nuts
A bit more info: building natively on Windows 10, the detection is NOT triggered.
I will submit the offending file.


On Tuesday, February 11, 2020 at 11:30:48 PM UTC-5, andrey mirtchovski wrote:
you can find similar detections on virustotal. unfortunately it looks
like a false positive:

https://www.virustotal.com/gui/file/93eb448cedd4b4355065a4f9193d8548b02bc56ed5ba9e774095f9ab3da46227/detection

there are members of this community working for microsoft, perhaps
they'll have an avenue that will allow their engine to avoid a false
positive on go code. not sure if they have an open channel to address
this.

On Tue, Feb 11, 2020 at 9:15 PM ajstarks <ajst...@gmail.com> wrote:
>
> When building Windows binaries for pdfdeck [1] (https://github.com/ajstarks/deck/tree/master/cmd/pdfdeck) I noticed that the binary generated with on linux with:
>
> GOOS=windows GOARCH=386 go build -ldflags="-s -w" -o windows-386-pdfdeck.exe github.com/ajstarks/deck/cmd/pdfdeck
>
> will cause the Windows 10 Defender virus detection to think the binary is infected with Trojan:Win32/Wacatac.C!ml
>
> simply removing the -ldflags builds a binary that runs with no issues.  Has anyone else seen this?
>
> --
> You received this message because you are subscribed to the Google Groups "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to golan...@googlegroups.com.

ajstarks

unread,
Feb 12, 2020, 12:06:20 AM2/12/20
to golang-nuts

Ian Lance Taylor

unread,
Feb 12, 2020, 8:30:29 AM2/12/20
to ajstarks, golang-nuts
On Tue, Feb 11, 2020 at 9:06 PM ajstarks <ajst...@gmail.com> wrote:
>
> VT detected issues. As mentioned these are false positives:
>
> https://www.virustotal.com/gui/file/77cbc92defdabf7e308849f0dd5e784010d9b4548b99b50df52533b949a14d85/detection

FYI: https://golang.org/doc/faq#virus

Ian
> To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/4b7c752b-6b82-4ec9-8d66-3ad9d663368a%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages