hello world and anything detected by global check (virustotal)

[SmaamX]

What version of Garble and Go are you using?

$ garble version
mvdan.cc/garble v0.12.1

Build settings:
      -buildmode exe
       -compiler gc
  DefaultGODEBUG httplaxcontentlength=1,httpmuxgo121=1,tls10server=1,tlsrsakex=1,tlsunsafeekm=1
     CGO_ENABLED 0
          GOARCH amd64
            GOOS windows
         GOAMD64 v1

$ go version
go version go1.22.6 windows/amd64

What environment are you running Garble on?

go env Output

$ go env
set GO111MODULE=auto
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\smaamx\AppData\Local\go-build
**set GOENV=C:\Users\smaamx\AppData\Roaming\go\env**
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=C:\Users\smaamx\go\pkg\mod
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPATH=C:\Users\smaamx\go
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=C:\Users\smaamx\sdk\go1.22.6
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLCHAIN=go1.22.6
set GOTOOLDIR=C:\Users\smaamx\sdk\go1.22.6\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.22.6
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=C:\Users\smaamx\go.mod
set GOWORK=
set CGO_CFLAGS=-O2 -g
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-O2 -g
set CGO_FFLAGS=-O2 -g
set CGO_LDFLAGS=-O2 -g
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=C:\Users\smaamx\AppData\Local\Temp\go-build117501480=/tmp/go-build -gno-record-gcc-switches

What did you do?

1. garble -tiny --literals build icm.go
2. check and detected with virustotal
3. build a s.go again but just "hello world" and detected again

What did you expect to see?

its clear

What did you see instead?

www.virustotal.com/gui/file/49ff8d1a0fa0373fd5b2eb3bf13af8ad48f7a186dc6b5b9e3358ae37e1dc6223

Ask to add

can we make GoReSym hidden?

[SmaamX]

test with garble -tiny build
www.virustotal.com/gui/file/2c05b082ffe6faa168cf3e6bd6c384c362f3eb37538e8187c0a7f828d3f1e907
test with garble build
www.virustotal.com/gui/file/f0780408e7c4b135a4146ffb6d792def34a273e67729eada8350e9d074666872

[SmaamX]

test with go build + strip --strip-all
www.virustotal.com/gui/file/1778e1824f371d4791c084f28be55c8a364fe2b4a2ce5e2a3f7c175422abdef6

[derekkddj]

what is the complete command for the "strip" option?

[SmaamX]

I think strip --strip-all or we can use sstrip

[Velka-DEV]

This is absolutely normal for the binary to be detected as a malware after obfuscation. Malware developers always obfuscate their binary in the same way as garble to protect their malwares.

[ddm50]

This is absolutely normal for the binary to be detected as a malware after obfuscation. Malware developers always obfuscate their binary in the same way as garble to protect their malwares.
unfortunately.

i have tried with a regular binary, no obfuscation and it works fine. but garble and defender dont like it.

[mvdan]

If someone wants to investigate how to avoid issues with common antivirus software, you're welcome to post your findings here or send patches. I don't have an interest in looking into this.

My only guess is that the Go runtime has a lot of dangerous-looking code due to the nature of what it does, and it's likely that antivirus products know to whitelist it to prevent false positives with Go programs. Once a Go program is obfuscated, that sort of special treatment is likely not present.

[pagran]

Fast check.

With compiler pathes: https://www.virustotal.com/gui/file/db46d0680b87e8eb5682828971750e5be6fecbc2b1b1341589667fc030e3b5c1?nocache=1
Without compiler patches: https://www.virustotal.com/gui/file/34a74db259e3abc5d17e2f5886bff70bae852c21e518c086cee6b513b1389d86?nocache=1

No difference on virustotal, but I have Windows Defender and it blocked me from using garble with compiler patches:

[furax124]

Fast check.

With compiler pathes: https://www.virustotal.com/gui/file/db46d0680b87e8eb5682828971750e5be6fecbc2b1b1341589667fc030e3b5c1?nocache=1

Without compiler patches: https://www.virustotal.com/gui/file/34a74db259e3abc5d17e2f5886bff70bae852c21e518c086cee6b513b1389d86?nocache=1

No difference on virustotal, but I have Windows Defender and it blocked me from using garble with compiler patches:

What is the command line for the compiler patch ? Thank you for your response.

[DavesPlanet]

This is an imposible thing to fix for the simple reason that terrible people are using your wonderful code to obsficate terrible things. If you change the signature of how you obsfucate, then the next generation of terrible tools by terrible people will evade detection for a short time until the new signature eventually ends up in malware databases and you will be back where you started. I believe this something all obsfucation projects must live with.

[pagran]

What is the command line for the compiler patch ? Thank you for your response.

Currently gable doesn't have that key, only way is manually modify garble sources - https://github.com/burrowers/garble/blob/master/main.go#L465

I believe this something all obsfucation projects must live with.

Agree, I think we can solve this problem using non-software methods (KYC, cooperation with antivirus companies, etc.), but this is definitely not implementable with an open source project that can be used by anyone.