5d11cf1842
Document known Kaspersky false positive issue with Go binaries and provide user workarounds. Changes: - Add comprehensive docs/ANTIVIRUS.md with: - Explanation of why Go binaries trigger AV false positives - Step-by-step exclusion instructions for Kaspersky, Windows Defender - File integrity verification procedures - False positive reporting guide - FAQ section - Update docs/TROUBLESHOOTING.md with quick reference section - Close bd-t4u1: Kaspersky PDM:Trojan.Win32.Generic detection Root cause: Kaspersky's heuristic detection flags Go binary patterns as suspicious. This is an industry-wide issue affecting many Go projects. Build already uses recommended optimizations (-s -w flags). Future improvements (code signing, vendor whitelist) tracked separately. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
5.8 KiB
Antivirus False Positives
Overview
Some antivirus software may flag beads (bd or bd.exe) as malicious. This is a false positive - beads is a legitimate, open-source command-line tool for issue tracking.
Why This Happens
Go binaries (including beads) are sometimes flagged by antivirus software due to:
- Heuristic detection: Some malware is written in Go, causing antivirus ML models to flag Go-specific binary patterns as suspicious
- Behavioral analysis: CLI tools that modify files and interact with git may trigger behavioral detection
- Unsigned binaries: Without code signing, new executables may be treated with suspicion
This is a known industry-wide problem affecting many legitimate Go projects. See the Go project issues for examples.
Known Issues
Kaspersky Antivirus
Detection: PDM:Trojan.Win32.Generic
Affected versions: bd.exe v0.23.1 and potentially others
Component: System Watcher (Proactive Defense Module)
Kaspersky's PDM (Proactive Defense Module) uses behavioral analysis that commonly triggers false positives on Go executables.
Solutions for Users
Option 1: Add Exclusion (Recommended)
Add beads to your antivirus exclusion list:
Kaspersky:
- Open Kaspersky and go to Settings
- Navigate to Threats and Exclusions → Manage Exclusions
- Click Add → Add path to exclusion
- Add the directory containing
bd.exe(e.g.,C:\Users\YourName\AppData\Local\bd\) - Select which components the exclusion applies to (scan, monitoring, etc.)
Windows Defender:
- Open Windows Security
- Go to Virus & threat protection → Manage settings
- Scroll to Exclusions → Add or remove exclusions
- Add the beads installation directory or the specific
bd.exefile
Other antivirus software:
- Look for "Exclusions", "Whitelist", or "Trusted Applications" settings
- Add the beads installation directory or executable
Option 2: Verify File Integrity
Before adding an exclusion, verify the downloaded file is legitimate:
- Download beads from the official GitHub releases
- Verify the SHA256 checksum matches the
checksums.txtfile in the release - Check the file is signed (future releases will include code signing)
Verify checksum (Windows PowerShell):
Get-FileHash bd.exe -Algorithm SHA256
Verify checksum (macOS/Linux):
shasum -a 256 bd
Compare the output with the checksum in checksums.txt from the release page.
Option 3: Report False Positive
Help improve detection accuracy by reporting the false positive:
Kaspersky:
- Visit Kaspersky Threat Intelligence Portal
- Upload the
bd.exefile for analysis - Mark it as a false positive
- Reference: beads is open-source CLI tool (https://github.com/steveyegge/beads)
Windows Defender:
- Go to Microsoft Security Intelligence
- Submit the file as a false positive
- Provide details about the legitimate software
Other vendors:
- Check their website for false positive submission forms
- Most major vendors have a process for reviewing flagged files
For Developers/Distributors
If you're building beads from source or distributing it:
Current Build Configuration
Beads releases are built with optimizations to reduce false positives:
ldflags:
- -s -w # Strip debug symbols and DWARF info
These flags are already applied in the official builds.
Code Signing (Future)
Future releases may include Windows code signing to improve trust scores with antivirus vendors. Code signing:
- Reduces false positive rates over time
- Builds reputation with SmartScreen/antivirus vendors
- Provides tamper verification
Alternative Build Methods
Some users report success with:
go build -ldflags "-s -w" -o bd ./cmd/bd
However, results vary by antivirus vendor and version.
Frequently Asked Questions
Is beads safe to use?
Yes. Beads is:
- Open source (all code is auditable on GitHub)
- Signed releases include checksums for verification
- Used by developers worldwide
- A simple CLI tool for issue tracking
Why don't you just fix the code to avoid detection?
The issue isn't specific to beads' code - it's a characteristic of Go binaries in general. Changing code won't reliably prevent heuristic/behavioral detection. The proper solutions are:
- Code signing (builds trust over time)
- Whitelist applications with antivirus vendors
- User reports of false positives
Will this be fixed in future releases?
We're working on:
- Submitting beads to antivirus vendor whitelists
- Adding code signing for Windows releases
- Continuing to use build optimizations
However, false positives may still occur with new releases until reputation is established.
Should I disable my antivirus?
No. Instead:
- Add beads to your antivirus exclusions (safe and recommended)
- Keep your antivirus enabled for other threats
- Verify checksums of downloaded files before adding exclusions
Reporting Issues
If you encounter a new antivirus false positive:
- Open an issue on GitHub
- Include:
- Antivirus software name and version
- Detection/threat name
- Beads version (
bd version) - Operating system
This helps us track and address false positives across different antivirus vendors.