Use the VirusTotal API to scan submitted add-ons for malicious content #3246
Comments
|
I've found this GitHub Action to scan release assets with Virus Total. |
|
Also, local files can be scanned, so that when the add-on is downloaded after crating the submission issue, it maybe used. |
|
I think that we should analize .exe files after unzipping the add-on, and, if Virus Total analizes them, we can post link to analysis in the corresponding issue. |
|
Is there only the possibility to analyse .exe files? Not other files such as .dll or .pyd? Also, we can imagine that an add-on embeds a malicious executable code in a .exe renamed to .py, .pycle, .dat (or whatever extension). Then at runtime it may rename the file to .exe and execute it. Is there any reason to restrict scanning to .exe? |
|
Cyrille wrote:
We can try to analize whatever file we went, even the .nvda-addon itself.
Oh, it's true. I have also thought that non bundled files maybe downloaded.
No. I've tried to analize emoticons add-on and of course it's not detected as malware. So I have thought that maybe better to analize unzipped files. |
|
VirusTotal should be able to scan a whole add-on as a ZIP file if the add-on is uploaded with the extension changed to .zip |
|
@nvdaes For testing, you may use these:
https://help.eset.com/emsx/7.3/en-US/antivirus_test.html
https://www.computerhope.com/issues/ch001386.htm
There are many more such things for testing positive virus scans out there.
|
|
Thanks @XLTechie. I"ll use this for testing in the next days. |
|
For reference. I'll try to use the Virus Total command line: |
|
I've got the following artifact analyzing clipContentsDesigner 31.'.0.0 add-on. I think that we can show the workflow like done in codeQl analysis, if we find failures, malicious or suspicious positive numbers in stats. |
|
Aother artifact including analysis of a test provided by @XLTechie , for some reason empty. https://github.com/nvdaes/addon-datastore/actions/runs/8743424504/artifacts/1427157401 In this case, the results key in the vt.json file is not empty. I still think that we should use the stats key |
|
I'm seeing that analysis for clipContentsDesigner 31.0.0 add-on, which doesn't include malware, is not consistent between checks. For example,in one of mytest the status is quewed (maybe that VirusTotaldidn't finish the analysis). Also once I saw 3 failures (I suppose that this means that 3antivirus failed to analize the add-on). And reports are updated from time to time. |
Fixes issue #3246 Summary of the issue VirusTotal may catch malware bundled with add-ons. Also, knowing the sha256 of scanned add-ons, the URL to see results at different datetimes maybe built, allowing users to see this information even before installing an add-on if this was included in the NVDA store in the future. Development strategy Virus Total CLI is installed when needed. Add-ons are scanned when the submission issue is created. Info about the add-on file is requested to Virus Total later, when the pull request is created, to give time to Virus Total to show results, trying to avoid getting empty analysis. NV Access needs to create an API key in Virus Total. The addonMetadata.json artifact is used to get the add-on id and sha256. A falsePositiveAddons.json file has been added. If VirusTotal analysis fails, a pull request will be created adding the sha256 of the addon to a list associated with the add-on ID, in the falsePositiveAddons.json file. If VirusTotal should be skipped for this add-on, NV Access will merge the created pull request, delete the branch created for the submission (in the form submitterIssueNumber), and relabel the issue to trigger a new workflow.
|
before closing this, we'd like to run a scan of all submitted add-ons with virus total |
|
Sean wrote:
I'm working on this. I've created a workflow to download each add-on and submit it to virusTotal with my API key. Now they should be analyzed. |
|
Hi, Looks like there is an issue with the modified YML file with the workflow output for Windows App Essentials 24.06 submission saying: Invalid workflow file: .github/workflows/sendJsonFile.yml#L95 This could be the reason why add-on submissions from yesterday are not being processed. Thanks. |
|
This has been fixed, but seems to be problems with the VirusTotal CLI or API at this moment. This has worked well, but seems that VirusTotal CLI is not generating well formed json files. |
|
@nvdaes - can you please open a new PR to nvaccess/addon-datastore-staging? I've reverted previous PRs |
Fixes issue nvaccess#3246 Summary of the issue VirusTotal may catch malware bundled with add-ons. Also, knowing the sha256 of scanned add-ons, the URL to see results at different datetimes maybe built, allowing users to see this information even before installing an add-on if this was included in the NVDA store in the future. Development strategy Virus Total CLI is installed when needed. Add-ons are scanned when the submission issue is created. Info about the add-on file is requested to Virus Total later, when the pull request is created, to give time to Virus Total to show results, trying to avoid getting empty analysis. NV Access needs to create an API key in Virus Total. The addonMetadata.json artifact is used to get the add-on id and sha256. A falsePositiveAddons.json file has been added. If VirusTotal analysis fails, a pull request will be created adding the sha256 of the addon to a list associated with the add-on ID, in the falsePositiveAddons.json file. If VirusTotal should be skipped for this add-on, NV Access will merge the created pull request, delete the branch created for the submission (in the form submitterIssueNumber), and relabel the issue to trigger a new workflow.
|
Thanks @seanbudd . An add-on has been submitted afterVirusTotal support has beeen added. When the add-on submission is merged, I'll inform about the VirusTotal support on the add-ons mailing list. |
The scanning implemented in #2660 generally covers cases where an add-on author may not be aware of security risks of an add-on. In general, CodeQL scanning is more designed around finding security issues caused by accident/ignorance, rather than maliciously designed code. A maliciously constructed add-on could be built and potentially pass these checks. Scanning with VirusTotal will further catch dangerous add-ons i.e. add-ons bundled with known malware.
https://docs.virustotal.com/reference/overview
The text was updated successfully, but these errors were encountered: