fix(malware): remove hardcoded signatures to prevent AV false positives#106
Merged
fix(malware): remove hardcoded signatures to prevent AV false positives#106
Conversation
Hardcoded malware signature strings (188 regex patterns, hash lookups) in the binary were triggering Avira EXP/YAV.Minerva false positives. Signature detection now relies entirely on cloud-downloaded YARA rules instead of bundled patterns shipped with the installer. - Remove KNOWN_MALWARE_PATTERNS and KNOWN_MALWARE_HASHES from scanner - Remove regex fallback scan path (YARA engine required for signatures) - Remove build-time rule fetching (prefetch:rules) and bundled extraResources - Reduce initial cloud rule check delay from 30s to 5s for fast first-launch - Update YaraRulesInfo type, UI, and all 30 locale files Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
- Remove YARA rule fetch step from release workflow (rules are no
longer bundled, so fetching at build time is a no-op)
- Add proper "from cloud" translations for all 29 non-English locales
instead of bare {{count}} placeholder
- Update stale comment in fetch-yara-rules.js
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
EXP/YAV.Minervafalse positivesprefetch:rules,extraResources) — rules are now downloaded from the cloud on first launch instead of shipped in the installerWhy
AV heuristic engines (Avira confirmed, likely others) scan our binary and see malware name strings like
XMRig,CobaltStrike,Emotet,WannaCryetc. baked into the code. They flag the app as containing exploit patterns rather than recognizing it as a tool that detects malware. Moving all signature data to cloud-downloaded YARA rules eliminates these strings from the binary entirely.What changed
malware-scanner.ipc.tsKNOWN_MALWARE_PATTERNS(188 entries),KNOWN_MALWARE_HASHES, and the regex fallback scan path. KeptSUSPICIOUS_FILENAMES(process name heuristics — won't trigger AV).yara-rules-store.tsgetBundledRulesDir/getBundledRulePaths, simplifiedgetAllRulePaths()to cloud-only, reduced first check from 30s → 5selectron-builder.ymlresources/yara-rulesfromextraResourcespackage.jsonprefetch:rulesfrom allpackage:*build scriptsshared/types.tsYaraRulesInfo: removedbundledRules,'bundled'source,'regex-fallback'engine; added'pending'engine stateMalwareScannerPage.tsxlocales/*/malware.jsondbSourceBundled, updateddbRuleFilesCountsto cloud-only formatKNOWN_MALWARE_PATTERNStests and bundled-vs-cached merge testsTest plan
electron-vite build)🤖 Generated with Claude Code