Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VirusTotal scans for AWS CLI creating false positives #8975

Open
1 task
cfitzgerald-pd opened this issue Oct 15, 2024 · 1 comment
Open
1 task

VirusTotal scans for AWS CLI creating false positives #8975

cfitzgerald-pd opened this issue Oct 15, 2024 · 1 comment
Labels
p2 This is a standard priority issue third-party This issue is related to third-party libraries or applications.

Comments

@cfitzgerald-pd
Copy link

cfitzgerald-pd commented Oct 15, 2024
edited
Loading

Describe the bug

We've recently gotten a deluge of malware alerts from VirusTotal and its scanners and even third parties (ReversingLabs) flagging certain versions of the AWS CLI as malware. Some file paths detected are:

  • /root/awscliv2.zip
  • /usr/local/aws-cli/v2/2.18.0/dist/aws
  • /aws/aws/dist/aws_completer

Pulled the versions with recent detections - 2.17.63 and 2.18.0 directly from AWS and matched the SHA-1s.

2.18.0: (eb90309bf6a4bb23cc13892a6b058527560600c3)

2.17.63: (fb7db612844de3496d805e4d2ec34e4762f6677e)

3 scanners flag 2.18.0 and 6 scanners flag 2.17.63. I expect these to continue to get flagged with new releases, which is difficult for customers and could result in some teams creating broad exclusion rules for the AWS CLI if there's no easy way to reduce these detections.

I see past discussions about this didn't get anywhere for various reasons (e.g. AWS signs with a PGP detached signature). Can AWS confirm these are false positive detections and/or recommend any way for customers or scanning vendors to avoid these false detections?

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

Clean malware scans

Current Behavior

Several detections in malware scanners

Reproduction Steps

Pull the versions with recent detections - 2.17.63 and 2.18.0 directly from AWS and match the SHA-1s.

2.18.0: (eb90309bf6a4bb23cc13892a6b058527560600c3)

2.17.63: (fb7db612844de3496d805e4d2ec34e4762f6677e)

Possible Solution

Change signing method if it's a cause?
Work with third-party scanners to reduce FP detections?
Pin an advisory for this in the short term?

Additional Information/Context

No response

CLI version used

2.17.63, 2.18.0

Environment details (OS name and version, etc.)

linux-x86_64
@cfitzgerald-pd cfitzgerald-pd added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 15, 2024
@jonathan343
Copy link
Contributor

Hey @cfitzgerald-pd, thanks for reaching out. We’re aware of the increase in VirusTotal detections and actively reporting these as false positives to third-party vendors. If there are any updated, we'll provide them here. Thanks!

@nateprewitt nateprewitt added third-party This issue is related to third-party libraries or applications. p2 This is a standard priority issue and removed bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
p2 This is a standard priority issue third-party This issue is related to third-party libraries or applications.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nateprewitt @jonathan343 @cfitzgerald-pd