> Do you know that ascan is very confident that ascan is malicious? Is it by 
> design?

I am not affiliated with Atomdrift, but from what I am understanding it may be 
comparable with how heuristics scanning in antivirus software looks like. It 
seems that the goal is to highlight capabilities and behavior that is either 
common for malware or untypical for normal software, through the approach that 
Atomdrift uses seems to differ in an attempt to get around the limitations of 
generic or rule-based heuristic scanning.
As such, it would make sense for ascan to detect itself as suspicious since 
what ascan is doing is highly unlikely for regular software or common for 
malware... but the question is where we are drawing the line here.

As for my first impression of ascan I must add that the results varied a lot 
from one day to another from updating the models when scanning active processes.
For reference, as of today it does flag my Hyprland, XWayland, NetworkManager 
Applet and the entirety of Steam as "100% hostile". Sometimes reasons are 
provided, sometimes one is left with only the "MAL-ECULE" which probably 
contains everything one does need to know to acknowledge how it came to the 
conclusion that something is suspicious or hostile. But unlike the 
demonstration with the Atomdrift Lab that was posted earlier that meticulously 
discloses how every individual finding in the PKGBUILD was used to come to a 
conclusion, that type of transparency seems to be currently missing in ascan, 
or at least I am unaware on how to reproduce it. Not exactly optimal for 
evaluation if manual intervention is required.

While I wasn't able to reproduce this inconsistencies with scanning actual AUR 
Git Clones that I happened to have laying around, it got me wondering whenever 
this situation only exists with false-positives or if we also have to keep 
false-negatives in mind. I wasn't going to risk to test with actual malware on 
my system, but all of that got me thinking that it could add a lot of 
additional work for the user when the target audience of the attack has likely 
been to go for people that are blindly installing AUR Packages without reading 
the PKGBUILD. So I am currently not sure if this is the answer to our problems, 
at least on on the user's side.
The idea of integrating Atomdrift into the AUR does sound interesting but I 
honestly lack insight to evaluate that. Maybe ascan is a lot better at dealing 
with file scanning than with processes, or when using the `--interpret` option 
to ask another Local LLM, or doesn't struggle with false-negatives. But that 
requires more resourceful people to figure out. I am still figuring out myself 
how I wanna improve my own approach to building packages more reliably to catch 
missing dependencies or dodging weird quirks of my main system...

I hope this contributes anything meaningful to the discussion,
PureFallen

P.S. I apologize Pasha for the duplicate E-Mail; I ended up sending it directly 
to you instead of the mailing list the first time.

Reply via email to