Re: [go-nuts] Re: "Cortex XDR has blocked a malicious activity! " when running Go binary

Wed, 09 Mar 2022 09:45:37 -0800 

On 2022/3/9 23:37, Brian Candler wrote:

https://go.dev/doc/faq#virus

On Wednesday, 9 March 2022 at 11:14:47 UTC Rusco wrote:

    On Win10 I get this Antivirus message and can not get runnig my .exe
    on my company notebook.

    This is the binary, the only import is "fmt" :
    https://go.dev/play/p/GIUnvHMUJec?v=gotip
    <https://go.dev/play/p/GIUnvHMUJec?v=gotip>

    I checked antivirus diagnostics tools and found this:

    
https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection
    
<https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection>
    
https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community
    
<https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community>
    
https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1
    
<https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1>

    So this is probably due to "suspicious LazyDLL loading in Golang
    binaries".
    Where is this Lazy DLL loading going on, in the runtime ?



LoadLibraryA, LoadLibraryW is used by syscall and runtime package
https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/syscall_windows.go at syscall_loadsystemlibrary, syscall_loadlibrary
and on https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/os_windows.go at windowsLoadSystemLib, loadOptionalSyscalls 


    Is there a way to avoid this, to make it static for example ?


No



    I wonder why there a not more complaints about antivirus blocking of
    Go binaries.
    I never came across such blocking in my Rust binaries.


    Any hints welcome
    Rusco






--
You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com <mailto:golang-nuts+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com <https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com?utm_medium=email&utm_source=footer>. 

--
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/6a20f3c6-8942-fa94-2cbe-2e10af399055%40gmail.com.

Reply via email to