Software blocks Golang

[YLemelin]

When the malawarebytes software is running in the background and I launch even the simplest Go code, the code just does not execute. No log, no quarantine. I did whitelist both my project file and the Go install folder as it was picking up issues from there even if it shouldn't. But If I just kill the malawarebytes app, my simple print line project does work. 

I didn't post this in the false positive thread as there is no log or not 1 specific issue. It just wont let you run any Go project....

Running the app v4.6.13 btw

[Porthos]

Let's see if @miekiemoes can assist.

[miekiemoes]

Hmm, so no detection displays on screen? I wonder if this is an Anti-exploit detection. Can you try malwarebytes again and disable the anti-exploit detection and see if that helps? This is in order to narrow down the cause.

[YLemelin]

9 hours ago, miekiemoes said:

Hmm, so no detection displays on screen? I wonder if this is an Anti-exploit detection. Can you try malwarebytes again and disable the anti-exploit detection and see if that helps? This is in order to narrow down the cause.

That is exactly it. Good catch miekiemoes. Altho it would be nice if I didnt have to toggle it of every time I work on my code.

[Porthos]

1 hour ago, YLemelin said:

That is exactly it.

It should have created a log of the block. Can you post that, please?

[YLemelin]

12 minutes ago, Porthos said:

It should have created a log of the block. Can you post that, please?

the scanner output:

 

Quote

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/6/24
Scan Time: 9:48 AM
Log File: 43572bf2-0baf-11ef-93a5-c87f54ca1823.json

-Software Information-
Version: 4.6.13.324
Components Version: 1.0.2319
Update Package Version: 1.0.84333
License: Premium

-System Information-
OS: Windows 11 (Build 22621.1992)
CPU: x64
File System: NTFS
User: System

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Scheduler
Result: Completed
Objects Scanned: 370471
Threats Detected: 3
Threats Quarantined: 0
Time Elapsed: 4 min, 24 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
Generic.Malware.AI.DDS, C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\GO-BUILD375181891\B001\EXE\MAIN.EXE, No Action By User, 1000002, 0, 1.0.84333, 00007D11000E1E13742448BD, dds, 02811604, 7889C10DA3D845BFEAD4C3091C8EC5FB, 7187EC0EF6C9C058C08BCC7C5552290FDB148EE7D17EB13EC2A80EC8BB4D77A0
Generic.Malware.AI.DDS, C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\GO-BUILD1347865309\B001\EXE\MAIN.EXE, No Action By User, 1000002, 0, 1.0.84333, 00007D11000E1E13742448BD, dds, 02811604, AF8FF6A37CD4672D7B76329902BC73AA, 0363FE40AD873E46B2DC38C25CE57BC3297247254E722C9EF83DD574C5EF0F8F
Malware.AI.4250218074, C:\USERS\ADMINISTRATOR\GO\BIN\GOPLAY.EXE, No Action By User, 1000000, -44749222, 1.0.84333, F50CDDE66A2C654BFD552E5A, dds, 02811604, CF0E5AD33904D50B8E5B01F0906CE977, 38A2FE070AB95C919961A845ACACF3160636E8085330034019BCC58C630CD495

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

 

[Porthos]

4 minutes ago, YLemelin said:

C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\

Is there a way in Golang to set another folder for the temp build process other than the above?

[YLemelin]

22 minutes ago, Porthos said:

Is there a way in Golang to set another folder for the temp build process other than the above?

TBH I'm not certain. I am just learning the language

[Porthos]

2 minutes ago, YLemelin said:

TBH I'm not certain. I am just learning the language

The reason I ask that is we ask people to add the development folder to the allow list but that temp folder should NEVER be excluded as malware likes to run from there.

[YLemelin]

3 minutes ago, Porthos said:

The reason I ask that is we ask people to add the development folder to the allow list but that temp folder should NEVER be excluded as malware likes to run from there.

Ah ok, well I did only whitelist the projects folder and the Go one

[Porthos]

This is the one that I am referring to.

C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\GO-BUILD375181891\B001\EXE\MAIN.EXE

This main folder is where Golang is placing temp build files and it is dangerous to exclude that folder from sans.

[miekiemoes]

Can you zip and attach the following files after unquarantining?

C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\GO-BUILD1347865309\B001\EXE\MAIN.EXE
C:\USERS\ADMINISTRATOR\GO\BIN\GOPLAY.EXE

This so I can have a look at them and see what we can do in order to exclude.

Please note, our above detection is a machinelearning/AI detection because we see a lot of malware created in GO as well.

[YLemelin]

7 hours ago, miekiemoes said:

Can you zip and attach the following files after unquarantining?

C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\GO-BUILD1347865309\B001\EXE\MAIN.EXE
C:\USERS\ADMINISTRATOR\GO\BIN\GOPLAY.EXE

This so I can have a look at them and see what we can do in order to exclude.

Please note, our above detection is a machinelearning/AI detection because we see a lot of malware created in GO as well.

 

go-build375181891.zip go-build1347865309.zip

[YLemelin]

goplay.zip

[miekiemoes]

Thanks. I'll see what I can do here :)