Skip to content

Drop the embedded leakless binary that trips antivirus#69

Merged
tamnd merged 3 commits into
mainfrom
fix/leakless-antivirus-false-positive
Jul 8, 2026
Merged

Drop the embedded leakless binary that trips antivirus#69
tamnd merged 3 commits into
mainfrom
fix/leakless-antivirus-false-positive

Conversation

@tamnd

@tamnd tamnd commented Jul 8, 2026

Copy link
Copy Markdown
Owner

What

Fixes #68. A fresh scoop install kage on Windows was quarantined by Windows Defender, which flagged leakless.exe. go install was unaffected.

Why

kage renders pages with go-rod, whose launcher imports leakless, a watchdog that force-kills Chrome if the parent exits. leakless base64/gzip-embeds a prebuilt helper for every platform (bin_amd64_windows.go and friends), so the Windows helper is linked straight into kage.exe. Defender recognises that helper as Trojan:Win32/Kepavll!rfn.

#54 already disabled leakless at runtime (Leakless(false)), so the helper never runs. But the payload bytes stayed in the binary, and leakless extracts leakless.exe to %TEMP%\leakless-amd64-<ver>\ the moment it is used, which is the file the reporter saw flagged.

Fix

Add an API-compatible stub for the package under third_party/leakless (New, Support, LockPort, and the Launcher type's Command/Pid/Err) with no embedded binary, and point a replace directive at it. Support() returns false, so go-rod skips the leakless path even if a caller re-enabled it.

Verification (on a Windows box, native build)

  • Fixed kage.exe: 1.28 MB smaller; the gzip'd payload, the leaklessBinaries map, and GetLeaklessBin are all gone. Windows Defender full scan: no threats.
  • Reconstructed the exact payload the unfixed build embeds and scanned it on its own: Defender flags Trojan:Win32/Kepavll!rfn, confirming those are the bytes that were being detected.
  • kage clone https://example.com: Chrome launches through the stub and the page renders; no leakless.exe is written to temp.
  • Full go test ./... passes.

tamnd added 3 commits July 8, 2026 19:34
go-rod's launcher imports github.com/ysmood/leakless, which base64/gzip
embeds a prebuilt leakless.exe for every target. On Windows that helper is
linked straight into kage.exe, and Windows Defender flags its signature and
quarantines a fresh scoop install before kage ever runs.

kage already launches Chrome with leakless disabled (browser/leakless.go),
so the guard was never doing anything, only adding the flagged bytes. This
adds an API-compatible stub for the package under third_party/leakless with
no embedded binary and points a replace directive at it. The Windows build
loses about 1.28 MB of packed executable and no longer carries the payload
that antivirus reacts to. Support() returns false, so go-rod skips the
leakless path even if a caller re-enabled it.
Add the release-notes and changelog entries for the leakless helper removal
(#68), so the docs site and CHANGELOG explain why the Windows build shrank and
what the earlier virus warning was.
The replace points leakless at a local directory, so go mod tidy no longer
needs the upstream module's checksum. Keeps the tidy CI check green.
@tamnd tamnd merged commit 35860d5 into main Jul 8, 2026
9 checks passed
@tamnd tamnd deleted the fix/leakless-antivirus-false-positive branch July 8, 2026 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

PSA: Windows scoop install has a virus false positive

1 participant