Comments (12)
We are going to release v0.41.1 tomorrow. The version disables vscgo
invocation on windows.
Release candidate - https://github.com/golang/vscode-go/releases/tag/v0.41.1-rc.1
#3186 is the issue to revise the release workflow and reenable vscgo.
Thanks for reporting and investigating this issue.
from vscode-go.
This is a false positive. This is https://github.com/golang/vscode-go/blob/master/vscgo/main.go
and also see https://go.dev/doc/faq#virus.
Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension, instead of letting the extension install the binary using go install
when getting activated. But it is unclear to me if that's sufficient to make those virus scanners silent. As far as I know other extensions also bundle go binaries, for example GH copilot or google cloud code. Have the virus scanners complained them?
from vscode-go.
Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.405.308.0) fix this issue, so it really looks like false positive.
From the beginning I thought it was more likely an M$ problem. Anyway it would be nice if the golang developer team and M$ both collaborated to avoid false positives without compromising the security of the system.
from vscode-go.
@hyangah ,
thanks for quick response. I think everyone here was suspecting false positive, but we needed someone to check and confirm :)
But it is unclear to me if that's sufficient to make those virus scanners silent
Not sure either - most likely the presence/use of binary is the trigger, not the way it was delivered...
from vscode-go.
from vscode-go.
Same here
from vscode-go.
I've updated the MSAV, and the problem remains. Does this file presents real threat or it's a false positive?
from vscode-go.
I'm getting this, which I guess is related. However, I don't know if its due to some corporate policy:
from vscode-go.
Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension, instead of letting the extension install the binary using go install when getting activated. But it is unclear to me if that's sufficient to make those virus scanners silent.
This will help lowering the chances of false positive. MS Defender don't like applications that install software without user interaction.
from vscode-go.
Question for windows users: An alternative I am thinking is to package a precompiled binary with the extension
This, coupled with signing the binary with a code signing certificate, would be the best bet: most anti-malware solutions attach reputation to both the file hash (which will vary by release) and the certificate used to sign it (which will vary much more rarely), so code signing any PEs is a really good way of avoiding reputation-based false positives.
(Sadly it does come with a financial cost for the certificate, though - there's no equivalent of Let's Encrypt for code signing certs - yet!)
from vscode-go.
Change https://go.dev/cl/565679 mentions this issue: extension/src/goMain: skip vscgo installation on windows
from vscode-go.
Change https://go.dev/cl/565680 mentions this issue: [release] extension/src/goMain: skip vscgo installation on windows
from vscode-go.
Related Issues (20)
- staticcheck and other tools aren't compiled correctly when auto-downloading Go 1.22 HOT 6
- gopls: automated issue report (crash) HOT 3
- .github/workflows: use 1.22 HOT 2
- Code lenses with stretchr/testify/suite tests fail on windows HOT 1
- No support for `"editor.formatOnSaveMode":` `"modifications"` and `"modificationsIfAvailable"` HOT 5
- Remote debugging no longer stops at break points anymore after updating to v0.41.0 HOT 7
- Stop auto insertion of square brackets when using a generic function HOT 3
- Allow for choosing which grammar syntax highlighting you want HOT 1
- gopls: automated issue report (crash) HOT 1
- [macOS] gopls client: couldn't create connection to server HOT 1
- Go doesn't recognize workspace because of capital change HOT 2
- debug: Is there a way to step into a new coroutine when using a handler?
- Linux to Windows remote: Go commands not available HOT 3
- auto complate very low HOT 2
- Release v0.41.1 HOT 1
- release: embed signed vscgo binaries in the extension HOT 1
- Extract variable returns an extra lhs expression and no template edit support is available HOT 1
- gopls: automated issue report (initialization) HOT 2
- gopls v0.14.2 crashes while handling completion when packages.Load fails due to invalid go.work HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vscode-go.