On Tue, Aug 23, 2022 at 9:29 AM Robert Engels <reng...@ix.netcom.com> wrote: > > I did not read the analysis - just the thread here and earlier threads on > this subject. My understanding that even though Go is statically linked the > loader does relocations that confuse virus scanners.
I'm not sure precisely what you mean, but I don't think that's accurate. There is no Go loader. The statically linked binary produced for a pure Go executable has no run-time relocations at all. My assumption--and it is just an assumption--is roughly the reverse: because pure Go programs are statically linked, and because the symbol table does not use the same names as a default C symbol table, a virus scanner has a harder time seeing which system calls are being used. Of course the same would be true for a statically linked C program, but perhaps malware writers tend to steer clear of those. Obviously anything that Go is doing can also be done in C, but the malware authors do have to work a bit harder to do that. Ian > On Aug 23, 2022, at 11:05 AM, Brian Candler <b.cand...@pobox.com> wrote: > > > On Tuesday, 23 August 2022 at 16:49:57 UTC+1 ren...@ix.netcom.com wrote: >> >> I think what is being suggested that if the sec team bans all applications >> that exhibit dynamic code loading behavior they’d be safer - which would >> catch a lot of apps in the net. > > > But the article quoted makes the opposite point: "Go binaries are often > statically linked—meaning that all necessary libraries are included in the > compiled binary" > > It also says: "Go’s large binary size causes analysis issues for some AV > vendors since several security products struggle to handle larger files and > have been known to just stop scanning and pass a binary if it is above a > specific size." > > ROFL! > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/73a6a242-ce44-4a48-8794-6f67a4b78167n%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups > "golang-nuts" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to golang-nuts+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/golang-nuts/DD066646-3624-4DF3-8634-44229425CF87%40ix.netcom.com. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/CAOyqgcW4kJbMswGH18fRrX66-Ty3nGrYRDpnWQcf9H56Wrnsew%40mail.gmail.com.
