DanieleJan 28, 2024

#Infosec community, could you help me?

My open source project Roast (a JVM launcher written in rust) https://github.com/fourlastor-alexandria/roast is being detected by Windows as a malware, and I have no idea why. All it does is:

1. Read configuration from config.json
2. Start up a JVM environment
3. Start the JVM application from the jar

The jar in the example is a demo project for libgdx (a game engine), basically the code would be this https://github.com/fourlastor/gdx-setup-construo/pull/1

maybe @jerry ? I don't know anyone who can help

GitHub - fourlastor-alexandria/roast: A JVM starter in Rust

A JVM starter in Rust. Contribute to fourlastor-alexandria/roast development by creating an account on GitHub.

GitHub
Show threadDanieleJan 28, 2024

I tried using VirusTotal, I'll write down my findings here:

The first version that seems to be detected as malware is 0.0.5, where I added a windows version check (to add an experimental garbage collection feature)

0.0.6
https://www.virustotal.com/gui/file/6ab1798b7b9fd7c223530b3bb9ebd12ec0850bb018013ccdb080468fb4c2380e/detection

0.0.5
https://www.virustotal.com/gui/file/fa3c97165e28dfa48f8efc059309ebf9776005f6f2c7c3a163ed2bcd9b2c7940/detection

0.0.4
https://www.virustotal.com/gui/file/9902dd4eade0fe981293526a4cd193f484a693bfc3f840967dd244e8a3c08fe5/detection

Then I tried to revert the windows version change but it still is detected as malware:

https://www.virustotal.com/gui/file/5d897977b63935a3c3da99ed6464048fb27f3889ceef0e8de8057b6eb01a50ab?nocache=1

https://github.com/fourlastor-alexandria/roast/pull/18

VirusTotal

VirusTotal

Show threadDanieleJan 28, 2024
the weird thing is that 0.0.6 and the no-win-version trigger "SecureAge", while 0.0.5 triggers "DeepInstinct" (while it passes SecureAge)
Show threadDanieleJan 28, 2024
I tried removing the extra code added in 0.0.6 and it still flags under "SecureAge" https://github.com/fourlastor-alexandria/roast/pull/18/commits/33142030118b4fd3f53ee2e9d96f471376ea8dc6 at this point I'm wondering if the issue is the github action runners they're built on (which might explain why over time, not commits, there's different detections)
Remove windows-version by fourlastor · Pull Request #18 · fourlastor-alexandria/roast

Temp PR for checking malware detection

GitHub
Show threadDanieleJan 28, 2024
I'm definitely wrong, I tried forcing a rebuild of 0.0.4 and still passes all the checks https://www.virustotal.com/gui/file/b4e98692e7c246a4e530a54d88708dc200b9f65f206994ffe318acac00d5e0d8/detection https://github.com/fourlastor-alexandria/roast/actions/runs/7685218482
VirusTotal

VirusTotal

Show threadDanieleJan 28, 2024
Apologies for the million notifications. I just realized you don't need to keep the initial tags to have the post appear as a reply
Show threadDanieleJan 28, 2024
Seems like 0.0.4/0.0.5/0.0.6 don't trigger the antivirus when downloaded directly from github, even tho 0.0.6 is literally the same file as the one that was used in the initial screenshot
Show threadDaniele
https://www.virustotal.com/gui/file/47bda71ea25e823d2d851071afb54c79444e92da68fa1b5da1b4a5f03d375524?nocache=1 Looks like somehow game.exe is different from 0.0.6, both in size and how much virustotal detects O_o
VirusTotal

VirusTotal

Jan 28, 2024 at 11:26amWeb
Show threadDanieleJan 28, 2024
Got some more testing results, it looks like the issue is the no-gpu variant of roast 🤔