frpc.exe detected as virus

Created on 19 Apr 2019  ·  16Comments  ·  Source: fatedier/frp

I am using frpc as a proxy for RDP (port 3389/TCP) on windows, using stcp. Works beautifully, but Windows Defender, the default anti-virus, wrongly reports the executable frpc.exe as a virus and blocks/removes the file immediately. Kaspersky anti-virus does it too. This is totally annoying and makes the use of the program a pain, if not impossible, in my corporate environment that has to have anti-virus software installed by (terrible and dumb) laws and regulations: in some machines the anti-virus program can't be disabled at all. Is there a way to circumvent this issue ?

question

Most helpful comment

It gets detected as a virus/trojian after any update of Windows Defender and quarantined. This is unbelievably annoying. Antivirus "protection" programs, in my humble opinion, are utter crap, always been useless, resource-wasters and memory hogs. We had three breaches in our systems and the hackers disabled a $4000 "Enterprise" version of kaspersky in three (3) minutes. After that they encrypted all the files and backups and we ended up having to pay a $5000 ransom to get the decryption key. The only purpose of anti-viruses is to slow down a $4000 server to the speed of a smartphone. And to make you pay a ton of money for that. This nonsense in the Microsoft Windows worls has to end, but I doubt it.

All 16 comments

Can you try to build it on your machine and see if it's still report virus?

It gets detected as a virus/trojian after any update of Windows Defender and quarantined. This is unbelievably annoying. Antivirus "protection" programs, in my humble opinion, are utter crap, always been useless, resource-wasters and memory hogs. We had three breaches in our systems and the hackers disabled a $4000 "Enterprise" version of kaspersky in three (3) minutes. After that they encrypted all the files and backups and we ended up having to pay a $5000 ransom to get the decryption key. The only purpose of anti-viruses is to slow down a $4000 server to the speed of a smartphone. And to make you pay a ton of money for that. This nonsense in the Microsoft Windows worls has to end, but I doubt it.

I don't think so. Windows Defender can protect your server from some of the virus, not all.

https://golang.org/doc/faq#virus

This is a common occurrence, especially on Windows machines, and is almost always a false positive. Commercial virus scanning programs are often confused by the structure of Go binaries, which they don't see as often as those compiled from other languages.

Can you add frp to your anti-virus software's white list ?

Sometimes I do not have access to white lists, because they are centralized in an enterprise environment (Kaspersky) and require special credentials.

I partially solved the problem by strongly encrypting the binary with an utility called "Enigma Virtual Box". It makes the executable a little bigger, and loading times a tad slower, but can pass undetected, for some time. After a while (two, three days), the heuristics in the antivirus code block the program again so I have to re-crypt it. It's like a cat-and-mouse game.

I'm about to setup another frp s/c for some of our company's Windows servers. Just downloaded 0.34.2 and 0.33.0, both triggered Trojan warning by Windows Defender. Can't risk to deploy it to the company server... But the older version 0.30.0 on my machine still reports as sane.
Sad. I really wanted to try the new TLS custom certificates feature.

@zoeeer Try to build it on your own machine from source code?

Can confirm recent versions of Windows Defender starts detecting it. It happened on around Nov 20.

I have a remote system that I need to access via FRP but noticed it's offline and it never reconnected. Using another (yet slower) remote access utility I found that Windows Defender killed and removed it saying it's a Trojan.

This has impaired my work and I'm currently in the process of adding the frp folder to the exclusion list (F*CK-U M$)...

EDIT: Done restoring frpc and adding it to the exclusion list. What an effort... at least I could resume my work.

@lss4 https://github.com/golang/go/issues?q=is%3Aissue+windows+detect+virus+is%3Aclosed+
There are already many issues about this and we can't do anything for that.

@lss4 https://github.com/golang/go/issues?q=is%3Aissue+windows+detect+virus+is%3Aclosed+
There are already many issues about this and we can't do anything for that.

Should note that Windows Defender did not detect the virus as a heuristic. In my case it mentioned the frpc executable is a Trojan:Win32/Zpevdo.B. This is on frpc 0.34.1.

Not sure which part of the code caused Windows Defender to detect it as that. Googled that virus signature, and it seems several other stuffs have also been flagged as that before, and there were cases of false positives as well.

EDIT: Just noticed the newly created issue #2095. It seems the detection signature varies by person, by frp version, and by antivirus definition update. Guess it's a bit out of control and better advise users to add frp folder to exclusion list (if possible) to avoid further issues.

@lss4 Can you compile frpc on a windows machine and see if it's also reported virus?

It was cross compiled on linux before.

Not sure what's needed to build on Windows. I haven't built with Go on Windows before.

I've cloned the frp repo, installed go 1.15, and installed GNU Make 4.3 from Chocolatey. I'm building it from Git bash because PowerShell doesn't recognize the env command (I think that needs to be changed to PowerShell's counterparts if trying to build there).

Not sure if Makefile is all I need to build, but I'm getting tons of invalid NUL character and invalid character U+0000 errors and cannot proceed any further.

@fatedier What are the instructions and pre-requisites for compiling from source on Windows?

There are no compile instrucions in the README.md file.

@frakman1 On Linux or MacOS.

You can build it like other golang projects.

  1. Install golang environment.
  2. git clone [email protected]:fatedier/frp.git ./frp
  3. cd ./frp && make

I'm not sure if there are differences on Windows.

You can build it like other golang projects.

Other golang projects don't use Makefiles. Windows doesn't have make

I'm not sure if there are differences on Windows.

How do you build the official Windows binary in the release if you don't know this? Does someone else build it for you?

@frakman1 Released binaries are cross compiled on Linux. Find more info in package.sh file.

You can find go build commands in Makefile.

Just build it by your way If you are familiar with golang.

Thank you. I never built a go app before. I had to install various components to get it to work on Windows.

1- Go for Windows: go1.15.6.windows-amd64.msi
2- Git Bash: Git-2.29.2.2-64-bit.exe
3- MinGW Compiler (bundled with CodeBlocks IDE): codeblocks-20.03mingw-setup.exe

I was finally able to build using the unusually named make binary from the mingw compiler from within the Git Bash terminal:

$ "C:\Program Files\CodeBlocks\MinGW\bin\mingw32-make.exe"

image

Windows binaries: frp.zip

My point is that it's not obvious.

Please include build instructions in the README for future reference.

Was this page helpful?
0 / 5 - 0 ratings