syncthing and virus alarms (e.g. Kaspersky)

Hi,

as Kaspersky (and other tools) still detects even the newest syncthing version (

) and reporting false alarms to Kaspersky didn’t show any results until yet, I tried a different route:

Another test:

So for me this is a workaround for a current exe and for the moment, as modifying the company Kaspersky settings always involves a round trip to the admins.

I hope that stays this way a while…

Cheers, Theo

PS: I (obviously) don’t get a bit identical result from my compilations (it’s even 4k bytes bigger). Should Go create bit identical results for the same source code? Or are there additional flags which I should supply to the Go compiler?

Many things affect the generated binary apart from the source code. Things I know of off hand:

  • The source location (goes into symbol names, shown in panics etc)
  • Compiler environment variables like CGO_ENABLED which affect how it’s linked
  • Our environment variables like BUILD_USER and the host and timestamp
  • General compiler flags

With the same source in the same place, the same environment variables, the same compiler and the same compiler options the binary should be byte for byte identical.

It strikes me that the source location is a random-ish temporary path on the build server, which gets burned into the binary in a bunch of places and may be something that the virus checkers find suspicious…


Edit 1: To test that theory it would be cool if you could see what it says about this build: https://build.syncthing.net/viewLog.html?buildId=10732&buildTypeId=Syncthing_BuildWindows&tab=artifacts&guest=1 (no random paths) compared to: https://build.syncthing.net/viewLog.html?buildId=10685&buildTypeId=Syncthing_BuildWindows&tab=artifacts&guest=1 (standard build)

Edit 2:

Looks like my build didn’t work, so never mind that for the moment.


Edit 3:

This build is mostly without temporary paths in it:

https://build.syncthing.net/viewLog.html?buildId=10740&buildTypeId=Syncthing_BuildWindows&tab=artifacts&guest=1

Does that affect the virus detection anyhow?

ok, downloaded both builds, scanned locally, and both pass a scan by Kaspersky without problems.

I also uploaded them to virustotal.com, and there both get detected by two resp. three scanners:

Which raises my fears that Kaspersky may update its definitions and invalidates my work around. I will recheck next week with newer signatures if my work around still works…

Just to point it out, a couple years ago there was this talk about having reproducible builds in GO: http://go-talks.appspot.com/github.com/davecheney/presentations/reproducible-builds.slide But I don’t know if it ended up in something. AFAIK there’s an initiative for this in several distro (but it’s not “complete” yet) https://reproducible-builds.org

Maybe this could help in having something more reproducible and help detecting what is causing the Antivirus to match Syncthing as a threat

Which two builds were that?

Go and Syncthing both support reproducible builds just fine. Debian does it for example. It’s just a matter of controlling the environment per the checklist above (and possibly other stuff I forgot).

Those I found here:

Ah ok, but how does that compare to the “standard” build at https://build.syncthing.net/viewLog.html?buildId=10685&tab=artifacts&buildTypeId=Syncthing_BuildWindows&guest=1 for example?

Virustotal seems to consider them equal, two obscure matches for both standard and without-odd-paths builds. So probably no difference. But then again it doesn’t indicate a kaspersky hit either so not sure what it means. Why would it flag our release builds but not others? There is literally no difference other than the version number.

ok, downloaded those as well. As you expected, no Kaspersky hit on my machine here.

I also uploaded the one I compiled myself to virustotal: https://www.virustotal.com/de/file/3e6ac0057c9fca9a61dcccb363aa1b6915656edb923fd6537a263fba868c1cfa/analysis/1506074510/

Two obscure matches for the self compiled.

I currently don’t know what to make of it.

Aaand my fear has come true: Kaspersky with updated databases currently deletes a freshly compiled syncthing.exe from my build directory.

My workaround currently: using version 14.29.

So essentially Syncthing is fine until we release it, and at that point they classify it as a virus? Ah well.

Stop wasting your time and try to be in control of your own premsises, a.k.a. stop using snake-oil ware.

Those so called anti virus products seem to give you quite the hassle worth your money and bog you down. Additionally they rise your attack surface and worse.

The anti virus industry is a mere desease.

1 Like

As long as the sysadmins of my company control our security policies I have not much say in that matter. So options would be

  • define exclusions in av sw (a possibility)
  • work around (currently doing)
  • get av vendors to get their act together wrt. syncthing (yeah…)
  • change anti virus product (probably same problems with a different name, and more cost attached)

As long as there is no verifiable secure system connectable to the net we will have these sort of problems, I think.

Before I’m going to much off-topic I’ll stop here.

https://github.com/syncthing/syncthing/issues/3420 might help, too.

I called out to Kaspersky for assistance. Haven’t heard back (via DM) yet. Will update here if anything comes of it.

1 Like

I called out to Kaspersky3 for assistance. Haven’t heard back (via DM) yet.

They are so big and important …