Skip to content

Sine is falsely flagged as a virus #506

Description

@CosmoCreeper

After being pinged almost every day about Sine being flagged as a virus by people's antiviruses, I have decided to make this issue and stop all the chaotic, separate, and unofficial issues regarding this matter. This issue will cover everything we know about why this happens, what we can do, and the actions we are taking to bring this to an end.

Report a false-positive

First of all, I would like to say that if your antivirus is flagging Sine as a virus, please let us know here, but only if it is not flagged as one of the known types listed below. If the type of virus your antivirus flags it as is listed below, then find the corresponding comment and like it. If it is not listed below, create a new comment and we will update this list.

If you are going to report a false-positive, please ensure that the virus type Sine's installer is flagged as, the antivirus you're using, and the OS you have are all listed in your report.

List of known false-positive flags

What is happening?

For ages now, Sine has been flagged by several antiviruses as a trojan, or some other type of virus. We know this to be false, but to the casual new user, these reports are a massive red flag. Many antiviruses are flagging Sine, including but not limited to, some VirusTotal vendors, Microsoft Defender, Bitdefender, and Malwarebytes.

Just as a clarification, it is not Sine that is being flagged, but rather it's installer, which helps us narrow down the why.

Why is Sine being flagged as a virus?

While we'll never get a peek inside the code of these antiviruses to understand exactly why, we do have a pretty good guess. To help you understand our next points, here's how Sine's installer works:

user executes installer ->
  user enters several paths and parameters.
  installer launches a script ->
    updater.bat on Windows *or*
    updater.sh on Linux and macOS ->
      updater script modifies the user's profile folder for Firefox, containing Sine's main code.
      updater script opens up another instance of itself asking for admin permissions ->
        if the user accepts, the updater script will then modify the user's Firefox installation folder to include Sine's bootloader.
installer closes out.

We have also noticed that most virus flags of Sine occur on Windows. This enables us to believe that the existence and the execution of a batch script is a high red flag for many antiviruses, but it doesn't stop there. If an antivirus is skilled enough to look forwards into the batch script and recognize that the batch script requests admin permissions and makes modifications to existing programs (Firefox, to install Sine's bootloader), it most likely will not be happy with that.

When you pair both of these red flags together with the fact that Sine's installer is not code-signed (would cost money), an antivirus would be inclined to flag Sine as a virus.

What steps are we taking to fix this?

  • We have applied for a code signing certificate from SignPath, and you can stay up-to-date on that in this issue. (this is the most likely option to reduce trojan and virus false-positives)
  • We have improved our release provenance and ensured that every release step is traceable and verifiable. (Improve Release Provenance #475)
  • We have switched to using immutable releases from now on, so public release assets cannot be changed after being published. (Improve Release Provenance #475)

How can you know Sine is safe?

Great question. We open-source all of our code, so you can take deep dives into it and fully understand what the installer does and what Sine does in it's entirety. Nothing is private. Even our release process is publicized.

Sine GitHub organization (official): https://github.com/sineorg
Installer source code: https://github.com/sineorg/installer
Bootloader source code: https://github.com/sineorg/bootloader
Store source code: https://github.com/sineorg/store
Sine source code: https://github.com/CosmoCreeper/Sine

What steps can I take to help?

The best thing you can do is report these false-positives in their entirety to both us and your antivirus. Share proof to them about how it's safe and ask that they take a look into it. If they can do no more but tell you why it is being flagged, then send it to us. We need to know how to move forwards and how to fix these false-positives, especially from the maintainers of the antiviruses themselves.

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingstagedTo be fixed/added in the next update.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions