Re: [go-nuts] Re: "Cortex XDR has blocked a malicious activity! " when running Go binary

2022-03-09 Thread Nugraha 

On 2022/3/9 23:37, Brian Candler wrote:

https://go.dev/doc/faq#virus

On Wednesday, 9 March 2022 at 11:14:47 UTC Rusco wrote:

On Win10 I get this Antivirus message and can not get runnig my .exe
on my company notebook.

This is the binary, the only import is "fmt" :
https://go.dev/play/p/GIUnvHMUJec?v=gotip


I checked antivirus diagnostics tools and found this:


https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection



https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community



https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1



So this is probably due to "suspicious LazyDLL loading in Golang
binaries".
Where is this Lazy DLL loading going on, in the runtime ?



LoadLibraryA, LoadLibraryW is used by syscall and runtime package
https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/syscall_windows.go 
at syscall_loadsystemlibrary, syscall_loadlibrary


and on 
https://go.googlesource.com/go/+/refs/tags/go1.18rc1/src/runtime/os_windows.go 
at windowsLoadSystemLib, loadOptionalSyscalls



Is there a way to avoid this, to make it static for example ?


No



I wonder why there a not more complaints about antivirus blocking of
Go binaries.
I never came across such blocking in my Rust binaries.


Any hints welcome
Rusco






--
You received this message because you are subscribed to the Google 
Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to golang-nuts+unsubscr...@googlegroups.com 
.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com 
.


--
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/6a20f3c6-8942-fa94-2cbe-2e10af399055%40gmail.com.

[go-nuts] Re: "Cortex XDR has blocked a malicious activity! " when running Go binary

2022-03-09 Thread Brian Candler 
https://go.dev/doc/faq#virus

On Wednesday, 9 March 2022 at 11:14:47 UTC Rusco wrote:

> On Win10 I get this Antivirus message and can not get runnig my .exe on my 
> company notebook. 
>
> This is the binary, the only import is "fmt" : 
> https://go.dev/play/p/GIUnvHMUJec?v=gotip
>
> I checked antivirus diagnostics tools and found this:
>
>
> https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/detection
>
> https://www.virustotal.com/gui/file/01435f5f5fe574e8154a572094bd0dd21a6ce8bc506b9931be0e30a917fd68a1/community
>
> https://valhalla.nextron-systems.com/info/rule/SUSP_LazyDLL_Load_Golang_Jan20_1
>
> So this is probably due to "suspicious LazyDLL loading in Golang 
> binaries". 
> Where is this Lazy DLL loading going on, in the runtime ? 
> Is there a way to avoid this, to make it static for example ?
>
> I wonder why there a not more complaints about antivirus blocking of Go 
> binaries. 
> I never came across such blocking in my Rust binaries. 
>
>
> Any hints welcome
> Rusco
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to golang-nuts+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/golang-nuts/a06db50e-bb79-41e0-ae54-fd8f0b2cae5dn%40googlegroups.com.