Virus Detection

[n3096]

Hey there,

I just downloaded the stable zips for windows and linux to generate some keys for NoiseProtocol. Both my NordVPN and Bitdefender alarmed me for each file with different reports.
While NordVPN (for whatever reason it is checking my downloaded files) claims a TR/Agent.ijplw on the windows-zip, my Bitdefender tells me the linux-zip was loading a ressource recognized with "Application.Linux.Generic.21299".

Maybe both are false alarms. Still, I just want to let you know.

Cheers, n3096

[csd4ni3l]

This is expected, its said in one of the issues. Its because rathole is an unarchiving exe, meaning it will unarchive the contents of a directory that is included inside it, and this triggers many anti viruses. You can avoid this by compiling from source.

[n3096]

@csd4ni3l Understood. You pointed out the "how". Still, "why" is it declared as a virus?

[alpharde]

@n3096 Because rathole's behavior will look suspicious to most anti-viruses out there: "Hey there's this unsigned binary sending a lot of data to some unknown server using NAT traversal".

[Fredyic]

Hello I have compiled the source code in my laptop windows and here you have the diff in virustotal.com

Compiled by rathole teem:
https://www.virustotal.com/gui/file/a91717eb37b3dc25c9d2391aca6a1b1f8edde9a3de626264718811ff8113e55b

My own compilation:
https://www.virustotal.com/gui/file/2db26b090b0294bf899e743957e43fbbcfdaea1f18985bc1928b9a391b8b530e

My windows defender do not detect my compiled rathole.exe how virus, only detect how "PUA - potentially unwanted applications" when you click over icon but not when you run in console cmd. Also when I run scan, windows defender do not detected something.

Google Drive notice me with "This type of file could be dangerous
The "tunx-orig.exe" file type could harm your computer. Download it only if you are aware of the risks involved." when I download the file from my drive space.

Here you have explanation from microsoft for this "virus"
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Program:Win32/Wacapew.C!ml

Detect and block potentially unwanted applications
https://learn.microsoft.com/en-us/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus

Chatgpt suger me of obfuscate the source code and compile again.
I'm sorry but I write in spanish to chatgpt. I need try this option, but I don't know is this a good solution or is worse solution, only compiling this and trying I can to know.

3. Obfuscación leve de strings en Rust (obfstr)

Objetivo: Ocultar cadenas sensibles en tiempo de compilación, como "ssh", "localhost" o "token", que a veces los antivirus usan como heurística para marcar binarios.
📦 Paso 1: Añadir la dependencia

Edita tu Cargo.toml y añade:

[dependencies]
obfstr = "0.4"

🧠 Paso 2: Usar obfstr! en lugar de strings normales

Reemplaza cualquier string sospechosa:

// En vez de esto:
let s = "ssh connection";

// Usa esto:
use obfstr::obfstr;
let s = obfstr!("ssh connection");

Esto hace que la string se guarde en el binario cifrada y se descifre en tiempo de ejecución. No cambia funcionalidad, solo ayuda a evitar detección heurística.

[Fredyic]

I add more information.

Yesterday I compiled source code of 2 differents options.

1: Only compiled, the size of file is 4MB
2: Compiled + binary optimization (I use strip) + compression ( I use ufx) 1,4MB

Conclusions:
1.- The original rathole.exe file from githup rathole:
It Is detected how virus for many security vendor's. in virustotal.com

2.- My own compiled file WITHOUT optimization and compression binary.
Only is detected how virus for microsoft and alicloud in virustotal.com, but in my local laptop, if I run scan over the file or folder, nothing is detected, only when you click over file , a blue windows blue is open and notifiy you about PUA.

If I upload this file to my google drive space, in upload process I have not problem , nothing is detected, but when I download the file , google open window and notify me with "This type of file could be dangerous
The "tunx-orig.exe" file type could harm your computer. Download it only if you are aware of the risks involved." when I download the file from my drive space." I changed the file name too.

3.- My own compiled file WITH optimization and compression binary.
It Is detected how virus for some security vendor's. in virustotal.com

The Google upload process does not detect how virus, but when I download, now the message change and now notify me "The file have a virus...."

I changed the file name too.

Regards
Alfredo