Anti-virus trigger in go-rod leakless usage #238
Comments
|
I doubt that is a true positive. What generated that output? Are you sure it's related to gowitness and not a sliver install you have? I uploaded the compiled ARM darwin artefact to VirusTotal out of interest anyways. https://www.virustotal.com/gui/file/713f81ab9889e03dd07f5a56a9a4bed3d51ce133bbaef6f612dfee1b5effa529?nocache=1 |
|
Also, can you share that |
|
We are running Intego AV on a mac. The a.out gets blocked as soon as the following command has run: I Would like to share the hash of the file with you but I don't know how to compile it without it being a risk. I'm unfamiliar with the compiling process and if that poses any risk. I ran the following command for more verbose output |
|
Also to add: I do not have Sliver framework installed. I'm familiar with it but it's not installed. Running the go install command on a different mac gives the same result. |
|
Unfortunately I don't know Intego AV, (it also doesn't seem to be listed on VirusTotal). I'm going to go with a false positive in your AV for now given the 64 vendors being okay with the arm Darwin binary at least. Feel free to build and upload your own (in a sandbox without your AV) to test, ofc! If you learn anything more about why this is happening, feel free to add, thanks! |
|
Sorry and just to be clear, there should be no sliver related dependency / artefact in gowitness. |
|
I think it's related to this issue: ysmood/leakless#8, which means I may temporarily remove the go-rod driver until that is resolved. |
leonjza
changed the title
I think there is a (Sliver) backdoor in one of the dependencies. I'm getting an error while running:
go install github.com/sensepost/gowitness@latestWhat's up with that
The text was updated successfully, but these errors were encountered: