docs\gpu\debugging_gpu_related_code.md detected as malware by Windows Defender |
||
Issue descriptionThis markdown file is detected as Exploit:HTML/CVE-2018-1000006.A. If the Chromium repo is scanned by Windows Defender then the file will be quarantined. If the file is in a directory which is excluded from scanning then the problem will be avoided temporarily but if the file is copied elsewhere or if an attempt is made to backup the machine with Windows Backup then this will fail. To be clear, a *markdown* file is being tagged as malware, and this will prevent some computers from being backed up. The file was submitted to Microsoft as an example of incorrect detection. Their response was: "Detection is intended. CVE-2018-1000006 is a remote code execution vulnerability affecting Electron apps that use custom protocol handlers. Best regards, Windows Defender Response" https://www.microsoft.com/en-us/wdsi/submission/cae152af-9056-46c0-8546-f1e992a92f2f The file in question is this one: https://cs.chromium.org/chromium/src/docs/gpu/debugging_gpu_related_code.md?q=f:debugging_gpu&sq=package:chromium&g=0 Experimentation has shown that the markdown file can be minimized to this and still be detected as malicious: --no-sandbox --gpu-launcher="x" Yep, a 31-byte text file is detected as an exploit. It's not clear to me how this "payload" is triggered. Twitter thread is here: https://twitter.com/BruceDawson0xB/status/1005233795081990144
,
Jun 12 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f17419f4169a63f890e756d74613c5dd8fb5b94d commit f17419f4169a63f890e756d74613c5dd8fb5b94d Author: Bruce Dawson <brucedawson@chromium.org> Date: Tue Jun 12 01:47:03 2018 Modify markdown to satisfy Windows Defender debugging_gpu_related_code.md explains how to use a Chrome command-line switch which has been used for arbitrary code execution. Windows Defender therefore treats it as malware. This means that some Windows Chromium developers will get anti-virus warnings (with mandatory quarantining of the file). If Chrome is in a directory that is excluded from scanning then they will avoid warnings but will hit problems if they try to use Windows backup. This is all very silly since there is no way - short of manually following the steps, modify to be malicious - to activate this payload. Windows Defender even complains about the file created by this: > echo --no-sandbox --gpu-launcher="x" >foo.txt But, sometimes it's not worth arguing. This also fixes a typo. R=kainino@chromium.org BUG= 851562 Change-Id: I85403a1cb1667f45784684179927119058608d40 Reviewed-on: https://chromium-review.googlesource.com/1096311 Commit-Queue: Bruce Dawson <brucedawson@chromium.org> Reviewed-by: Kai Ninomiya <kainino@chromium.org> Cr-Commit-Position: refs/heads/master@{#566245} [modify] https://crrev.com/f17419f4169a63f890e756d74613c5dd8fb5b94d/docs/gpu/debugging_gpu_related_code.md
,
Jun 12 2018
,
Jun 14 2018
I just got an official response saying that the detection has been fixed, and I can confirm that the file is no longer detected as a virus. https://twitter.com/WDSecurity/status/1007042157255933952 The submission has also been updated so that it now says Not malware. https://www.microsoft.com/en-us/wdsi/submission/cae152af-9056-46c0-8546-f1e992a92f2f I'll revert the change.
,
Jun 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/a33b7c45d8bdb5af7caba7ed565be773b35a4db7 commit a33b7c45d8bdb5af7caba7ed565be773b35a4db7 Author: Bruce Dawson <brucedawson@chromium.org> Date: Thu Jun 14 16:22:23 2018 Revert "Modify markdown to satisfy Windows Defender" This reverts commit f17419f4169a63f890e756d74613c5dd8fb5b94d. Reason for revert: Microsoft responded to twitter reports and fixed their detection so this isn't needed anymore. I'm retaining the typo fix though! Original change's description: > Modify markdown to satisfy Windows Defender > > debugging_gpu_related_code.md explains how to use a Chrome command-line > switch which has been used for arbitrary code execution. Windows > Defender therefore treats it as malware. This means that some Windows > Chromium developers will get anti-virus warnings (with mandatory > quarantining of the file). If Chrome is in a directory that is > excluded from scanning then they will avoid warnings but will hit > problems if they try to use Windows backup. > > This is all very silly since there is no way - short of manually > following the steps, modify to be malicious - to activate this payload. > Windows Defender even complains about the file created by this: > > > echo --no-sandbox --gpu-launcher="x" >foo.txt > > But, sometimes it's not worth arguing. > > This also fixes a typo. > > R=kainino@chromium.org > BUG= 851562 > > Change-Id: I85403a1cb1667f45784684179927119058608d40 > Reviewed-on: https://chromium-review.googlesource.com/1096311 > Commit-Queue: Bruce Dawson <brucedawson@chromium.org> > Reviewed-by: Kai Ninomiya <kainino@chromium.org> > Cr-Commit-Position: refs/heads/master@{#566245} TBR=brucedawson@chromium.org,kainino@chromium.org # Not skipping CQ checks because original CL landed > 1 day ago. Bug: 851562 Change-Id: I60b09d8e6a698c1646f5c4bb0ecab16f999bfb9c Reviewed-on: https://chromium-review.googlesource.com/1100255 Commit-Queue: Bruce Dawson <brucedawson@chromium.org> Reviewed-by: Bruce Dawson <brucedawson@chromium.org> Cr-Commit-Position: refs/heads/master@{#567294} [modify] https://crrev.com/a33b7c45d8bdb5af7caba7ed565be773b35a4db7/docs/gpu/debugging_gpu_related_code.md |
||
►
Sign in to add a comment |
||
Comment 1 by brucedaw...@chromium.org
, Jun 11 2018Status: Started (was: Untriaged)