Restic 0.10.0 for Windows and Jiangmin: false positive?

Many thanks for the release of restic 0.10.0, the list of improvements looks great!

As a routine, after downoading restic_0.10.0_windows_amd64.zip, I checked the file on https://www.virustotal.com

Result:
“One engine detected this file”
Jiangmin: TrojanDropper.Dapato.acbs

I see that the vast majority of scanners show “Undetected”. On the other hand there are statements of people who say that it is not uncommon, that only 1 of many scanners detects a certain malware…
(e.g. “Es ist oft so, dass nur einer von vielen Scannern bei einer bösartigen Datei anschlägt.”)

Has anyone tried to clarify this with Jiangmin, yet? (So they might fix this in their software.)

I think it might be a good idea to make anti malware software providers investigate assumed false positive to avoid uncertainities about the trustworthiness of restic.

1 Like

Hey, welcome back!

That’s not unexpected, I must say. Unfortunately, Go becomes more popular for writing malware. Most “anti-virus” engines are pretty dumb, they look for known parts of files. If the engine is configured to match on a part of the binary which belongs to the Go runtime (so it is embedded in every Go binary), then most Go binaries will be classified as a virus/trojan. There’s not much we can do about it (and it has happened before).

We don’t have the resources to talk to all the different vendors, so if you want to try it then please go ahead :slight_smile:

The restic binaries are also built in a reproducible way: you just need the source code, go compiler and a Linux system to reproduce the official binaries. That way we (and everyone else) can verify that the binaries match the source code and that nobody has tampered with the binaries.

Over the years I’ve seen so many false positives by Jiangmin, on VirusTotal, I ignore its results entirely.