Go programs are not viruses. September 27, 2022 on webb's site

I develop a tool called murse, which is a CLI for the TVN versioning system. It’s used in the Windows install scripts for Open Fortress, however we’ve been facing an extremely common issue.

why windows defender blocking download?

Hello, i tried to install Open Fortress. My anti virus blocked it mid way through the first time.

I’m trying to install, but my anti-virus REALLY doesnt like the installer

my anti-virus got involved and cancelled the install

Antiviruses, especially Windows Defender, pick it up as a virus. Of course it’s not a virus, you can view the source code for yourself to see that. So what’s going on here?

The Runtime

murse is written in Go. While it is a compiled language, it includes a built-in library with every program called the runtime. This includes code that helps Go programs work, such as the garbage collector. Usually libraries like these are dynamically linked. If you see .so or .dll files that’s what these are – libraries split off into their own files. However the standard Go compiler, gc, statically compiles everything. This means that all the libraries are shoved into a single executable with no DLLs. This is why Go binaries tend to be bigger.

Go, like any programming language, can be used to create viruses. When an antivirus company discovers a virus, they will create fingerprints of parts of the programs. If a virus is similar to another, it will mark it and prevent it from doing harm. The problem here is that the runtime is a large part of Go binaries. Once a virus written in Go is detected, it will see that same runtime in other Go programs and remove it. Thousands of innocent projects are thrown under the bus because of some users writing malicious programs.


Now what I’m describing can be mitigated by signing the program with a certificate. Usually this is used to prove the authenticity of a program or driver (if you ever see the company name when running an executable, this is where that comes from.) This has a secondary role of showing antiviruses that your program is more trustworthy – you aren’t just some random person publishing a program. So, how would I as a developer get one?

Well you need to buy one. Alright let-

$448.00 USD

Term: 1-Year

That’s just over a hundred Canadian dollars below what I make in a month. In order to have my completely innocent program work I need to give up nearly a month’s worth of my income. This is basically extortion, if I don’t pay this users will have to deal with the headache of convincing their antiviruses that the program is not a virus, as well as potentially thinking I’m trying to infect their machines. Keep in mind that these issues aren’t exclusive to Go programs – Python projects are also a common target of antiviruses when packed. If you use something like UPX to make your program smaller it makes the problem even worse. Even a simple Hello World in Go can trigger these things.

So to Microsoft, please stop extorting us. To my users, sorry for all of this.