Helping to fixing Windows virus scanner false positives

235 views

Skip to first unread message

ajstarks

unread,

Feb 26, 2019, 8:58:25 PM2/26/19

to golang-nuts

One annoyance for gophers on Windows is the false positives from virus

scanners when running the Go toolchain. This is mentioned in the FAQ:

This is a common occurrence, especially on Windows machines, and is almost

always a false positive. Commercial virus scanning programs are often

confused by the structure of Go binaries, which they don't see as often as

those compiled from other languages.

On my Windows 10 machine running the Symmantec scanner the situation is not the

structure of the binary but the "reputation". I get separate messages

running the go command or go build (one for the compiler, assembler and

linker) like this:

Event: Security Risk Found

Security risk detected: WS.Reputation.1

File: c:\Users\xxxxxx\Desktop\go\bin\go.exe

Location: Deleted or access blocked

Computer: xxxxxx

User: xxxxx

Action taken: Leave Alone succeeded

Looking up WS.Reputation.1 means:

(https://www.symantec.com/security-center/writeup/2010-051308-1854-99)

WS.Reputation.1 is a detection for files that have a low reputation score

based on analyzing data from Symantec’s community of users and therefore

are likely to be security risks. Detections of this type are based on

Symantec’s reputation-based security technology. Because this detection is

based on a reputation score, it does not represent a specific class of

threat like adware or spyware, but instead applies to all threat

categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of

millions of end users) connected to cloud-based intelligence to compute a

reputation score for an application, and in the process identify malicious

software in an entirely new way beyond traditional signatures and

behavior-based detection techniques.

I reported these false positives for the go command, compiler, assembler and linker at

https://submit.symantec.com/false_positive/ and the good news is that the

go command (1.12 version) is now whitelisted. I'm waiting for the others

tools to be so blessed. My guess is I'll have to report again when Go is updated.

I'm wondering if others in the Go community can help by reporting as well, raising Go's "reputation".

ajstarks

unread,

Feb 27, 2019, 1:05:48 PM2/27/19

to golang-nuts

FYI, the Go 1.12 toolchain is now blessed by Symantec.

Reply all

Reply to author

Forward

0 new messages