extension.bundle.js detects as Trojan

[intervisionlord]

Related to #2045 (new question because those issue was closed with suggestions to create a new one)

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.20\dist\extension.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\.5535db6a-7490-40c1-9942-044aa4c537ed\dist\sync.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.10\dist\server.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

file: .vscode\extensions\ms-python.vscode-pylance-2023.10.10\dist\extension.bundle.js
sig: Trojan.Script.QBot.kblikv; Riskware.Script.Obfuscated.kcdfgx

[intervisionlord]

A new alerts today after removing previous files by AV:

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\sync.bundle.js
Riskware.Script.Obfuscated.kcdfgx

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\server.bundle.js
Riskware.Script.Obfuscated.kcdfgx

.vscode\extensions\.bed44996-5aa2-4754-9049-f4f8f231b4ba\dist\extension.bundle.js
Riskware.Script.Obfuscated.kcdfgx

[judej]

One option to fix this is to

• run a gh action to check for malware: https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action, https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
• based on if malware is found in the bundled files, then rerun the obfuscation with a new seed

[intervisionlord]

It’s not entirely clear how running the action on the GitHub platform will help fix the problem that when you try to update an extension, the antivirus complains about the downloaded files of this extension

[rchiodo]

Jude was talking about how we're going to fix the problem. The bytes in our obfuscated output are matching the signature used to identify the trojan. Obfuscation generates random hex values for the names of functions and occasionally we end up matching some series of bytes for a virus. One solution would be for us to check for this scenario and if it happens, redo the obfuscation.

[intervisionlord]

Thanks a lot for the explanation

[rocka0]

I just wanted to add on about my experience. I recently performed a full scan on my system and it seems pylance was somehow involved in what got flagged as a trojan:

Should I be worried or was this just a false positive?

[rchiodo]

It should be a false positive. We believe the obfuscated code is generating a byte pattern that matches some trojan. You can double check that you have the released version by installing it directly from the marketplace .

[intervisionlord]

I tried to completely remove the extension from vscode and install the latest version from the store, and upon installation the antivirus complaint occurs again

Name: c:\users\*****\.vscode\extensions\ms-python.vscode-pylance-2023.10.40\dist\extension.bundle.js
Process: c:\users\*****\appdata\local\programs\microsoft vs code\code.exe(19416)
Signature: Riskware.Script.Obfuscated.kcdfgx

It should be a false positive. We believe the obfuscated code is generating a byte pattern that matches some trojan. You can double check that you have the released version by installing it directly from the marketplace .

I believe this could potentially be a false positive. But I believe even more that I installed the antivirus for a reason. And trusting this or that application without a reason, based only on the promises of the developers, is not the smartest idea.
Try to understand my concerns.

[debonte]

This was fixed by https://github.com/microsoft/pyrx/pull/5467/files#r1676259192. Our build will now fail (and need to be re-run) if Windows Defender finds a threat in our VSIX.