Use the VirusTotal API to scan submitted add-ons for malicious content

[seanbudd]

The scanning implemented in #2660 generally covers cases where an add-on author may not be aware of security risks of an add-on. In general, CodeQL scanning is more designed around finding security issues caused by accident/ignorance, rather than maliciously designed code. A maliciously constructed add-on could be built and potentially pass these checks. Scanning with VirusTotal will further catch dangerous add-ons i.e. add-ons bundled with known malware.

https://docs.virustotal.com/reference/overview

[nvdaes]

I've found this GitHub Action to scan release assets with Virus Total.

[nvdaes]

Also, local files can be scanned, so that when the add-on is downloaded after crating the submission issue, it maybe used.
I don't have an API key, but if it's free I'll test in my fork of the store after finishing the PR about CodeQL.

[nvdaes]

I think that we should analize .exe files after unzipping the add-on, and, if Virus Total analizes them, we can post link to analysis in the corresponding issue.
Since we don't know how many files we will find in add-ons, I think that creating a script that checks for each json file produced in the analysis will be expensive and unpredictable, and perhaps for this reason the mentioned GitHub Action reports just filenames and links to Virus Total reports.
Luckily, we don't have many add-ons with .exe files.
If someone submitting such kind of add-ons is considered a trusted author, a list of trusted add-ons maybe created for updates.

[CyrilleB79]

Is there only the possibility to analyse .exe files? Not other files such as .dll or .pyd?

Also, we can imagine that an add-on embeds a malicious executable code in a .exe renamed to .py, .pycle, .dat (or whatever extension). Then at runtime it may rename the file to .exe and execute it.

Is there any reason to restrict scanning to .exe?

[nvdaes]

Cyrille wrote:

Is there only the possibility to analyse .exe files? Not other files such as .dll or .pyd?

We can try to analize whatever file we went, even the .nvda-addon itself.

Also, we can imagine that an add-on embeds a malicious executable code in a .exe renamed to .py, .pycle, .dat (or whatever extension). Then at runtime it may rename the file to .exe and execute it.

Oh, it's true. I have also thought that non bundled files maybe downloaded.

Is there any reason to restrict scanning to .exe?

No. I've tried to analize emoticons add-on and of course it's not detected as malware. So I have thought that maybe better to analize unzipped files.
I've tested today for the first time. I have been able to upload the emoticons add-on from the web interface, not using my recently created API key.
I think that for testing I'll fork the used GitHub Action, who includes a workflow for testing the action itself, to discard problems when I pasted my API key in a repository secret.
Ideally we should be able to analize single add-ons. Another problem is that I don't know how to simulate a malicious add-on to test what happens in those cases.

[seanbudd]

VirusTotal should be able to scan a whole add-on as a ZIP file if the add-on is uploaded with the extension changed to .zip

[XLTechie]

@nvdaes For testing, you may use these: https://help.eset.com/emsx/7.3/en-US/antivirus_test.html https://www.computerhope.com/issues/ch001386.htm There are many more such things for testing positive virus scans out there.

[nvdaes]

Thanks @XLTechie. I"ll use this for testing in the next days.

[nvdaes]

For reference. I'll try to use the Virus Total command line:

https://github.com/VirusTotal/vt-cli

[nvdaes]

I've got the following artifact analyzing clipContentsDesigner 31.'.0.0 add-on. I think that we can show the workflow like done in codeQl analysis, if we find failures, malicious or suspicious positive numbers in stats.
Artifact (with the default retention days
https://github.com/nvdaes/addon-datastore/actions/runs/8739900542/artifacts/1426240194

[nvdaes]

Aother artifact including analysis of a test provided by @XLTechie , for some reason empty.
Note: I used *.json in the path artifact, so discussions and submitters.json are included.

https://github.com/nvdaes/addon-datastore/actions/runs/8743424504/artifacts/1427157401

In this case, the results key in the vt.json file is not empty. I still think that we should use the stats key

[nvdaes]

I'm seeing that analysis for clipContentsDesigner 31.0.0 add-on, which doesn't include malware, is not consistent between checks. For example,in one of mytest the status is quewed (maybe that VirusTotaldidn't finish the analysis). Also once I saw 3 failures (I suppose that this means that 3antivirus failed to analize the add-on). And reports are updated from time to time.
So I suppose that we should block add-ons whose analysis result includes a report of at least one malicious result, and also we may add the virusTotalAnalysisURL, similar to the review URL, so that people can easily find the last report:

https://docs.virustotal.com/docs/most-recent-report