v2.13.23 is flagged to have a Trojan FVTV by MacAffee

[cnocula-peg]

Describe the bug

The current version v2.13.23 has been flagged by McAffee as containing a trojan, thus causing critical alerts in our monitoring infrastructure:

https://www.virustotal.com/gui/file/a2d89814f1fe981dce1721d07a52f01f9004d457a7d502211154732df0a9da54/detection

Which is most probably a false positive? (As no other scanners are reporting this)

Expected Behavior

No suspicious findings in malware scanners.

Current Behavior

MacAffee finding: Trojan-FVTV!4139E39A3B8C

Reproduction Steps

Scan the binary with MacAffee?

Possible Solution

No response

Additional Information/Context

CLI version used

v2.13.23

Environment details (OS name and version, etc.)

Ubuntu Jammy20230816

[cjschroeder]

I also started getting alerts today from McAfee VirusScan for Linux. It started with dat_set_version 10852.
The flagged version is v2.11.5, not v2.13.23. It's curious that McAfee just started flagging both versions as trojans.

<!-- Uvscan Results -->
<Uvscan>
        <Preamble>
                <Product_name value="McAfee VirusScan Command Line for Linux64" />
                <Version value="6.1.4.305" />
                <License_info value= />
                <AV_Engine_version value="6100.8979" />
                <Dat_set_version value="10853" />
        </Preamble>
        <Date_Time value="2023-Oct-04 09:22:13" />
        <Options value="--config mcafee.cfg /boot /boot/efi / --analyze --atime-preserve --ignore-links --maxfilesize=10 --norename --one-file-system --sub --summary --xmlpath=/tmp/mcafee.xml " />
        <Summary On-Path="/boot" Total-files="81" Clean="75" Not-Scanned="6" Possibly-Infected="0" />
        <Summary On-Path="/boot/efi" Total-files="9" Clean="9" Not-Scanned="0" Possibly-Infected="0" />
        <File name="/var/lib/docker/overlay2/e3bc7f2270711d4c8dd871bf3f6eefa3000e476428227943893dff140e27eb76/diff/usr/local/aws-cli/v2/2.11.5/dist/aws" status="infected" virus-name="Trojan-FVTV!361A13461140" detection-type="trojan" />
        <File name="/var/lib/docker/overlay2/e3bc7f2270711d4c8dd871bf3f6eefa3000e476428227943893dff140e27eb76/diff/usr/local/aws-cli/v2/2.11.5/dist/aws_completer" status="infected" virus-name="Trojan-FVTV!9447FCB50572" detection-type="trojan" />
        <Summary On-Path="/" Total-files="316662" Clean="314246" Not-Scanned="2414" Possibly-Infected="2" />
        <Time value="01:46:36" />
</Uvscan>

[tim-finnigan]

Thanks for the report, this is something we are looking into further. If anyone else has related info to share on this please let us know here.

[cnocula-peg]

Update: now a second scanner (TrendMicro-HouseCall) is reporting a Trojan:

[hssyoo]

At this time, we believe this is a false positive. However, in order to confirm it is a false positive and clear the detections, we'll need to submit reports to the AV vendors flagging the executables. We are currently working on this and will keep this issue updated.

[sys-ops]

v2.13.15 also flagged by McAffee as containing a trojan.

[axcawef]

Hi there,

We are having similar trojan report from Wiz:

AWS version 2.13.23

[slimmclovin]

Hello,

on my side, McAfee started to detect aws and aws_completer as a trojan on Tuesday 3rd (it was OK on Monday), I believe with DATv3 5303.
aws: Trojan-FVTV
aws_completer: Trojan-FVTV

I'm not sure which version I have, probably 2.13.23.
But I've downloaded 2.13.22 => same result.
I've tried an even older one: 2.12.7 => same result.

[zskulcsar]

👋 same issue, different version: AWS CLI 2.11.14

[mooniesdl3]

Same issue using versions 2.13.13, 2.11.7 and 2.11.21.

Our Linux AV is from Fortra and uses Trellix (McAfee) for AV definitions which are updated automatically every night.

[DRLDoom]

Same issue Trellix and aws-cli v2.12.7

[mooniesdl3]

Trellix has tested files I sent against today's 10854 definitions and do not get the alert, the definition stack I had that did was 10853

[TacticalRhino]

I just got no alerts on a scan that was alerting yesterday. Anyone else experiencing clean scans now? Do we know if the definitions have been updated/corrected?

[mooniesdl3]

I'm getting clean scans now with updated definitions after restoring the deleted files

[slimmclovin]

Also clean on my side for aws-cli 2.13.24 and with DAT v3 5305.

[rukender]

I can still see McAfee and TrendMicro are still reporting this as Malicious.

[cnocula-peg]

I do not get any Trojan alerts anymore for the version 2.13.24 via WIZ (and thus VirusTotal) anymore. So @tim-finnigan - at least from my view, this ticket can be closed?

[rwjack]

That's odd, because I keep getting alerts for 2.13.24 - SHA256:c140d048f350d70ccdbb10ed5a4f152ad168aca8b586bddd10d94d93abc0497c

[tim-finnigan]

Thanks all for reaching out regarding the scan report flagging issues with AWS CLI v2. We are actively working with the virus scanning vendors to investigate the detections. We have not identified any impact and are working to confirm this is a false positive.

[tim-finnigan]

It appears that TrendMicro and McAfee are no longer flagging the CLI and we have not received any other reports here. I'll go ahead and close this issue but if anyone is still seeing the CLI flagged in any scans please share those details with us.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.