On Mon, Jun 15, 2026 at 6:12 PM <[email protected]> wrote:
> > Do you know that ascan is very confident that ascan is malicious? Is it > by design? No, just a hilarious quirk of the model - and many anti-virus scanners. Most tend to whitelist their own binary because the very sort of strings they look for tend to be in their own programs. I'll see about getting this sorted out though. > I am not affiliated with Atomdrift, but from what I am understanding it > may be comparable with how heuristics scanning in antivirus software looks > like. It seems that the goal is to highlight capabilities and behavior that > is either common for malware or untypical for normal software, through the > approach that Atomdrift uses seems to differ in an attempt to get around > the limitations of generic or rule-based heuristic scanning. > > As such, it would make sense for ascan to detect itself as suspicious > since what ascan is doing is highly unlikely for regular software or common > for malware... but the question is where we are drawing the line here. > > As for my first impression of ascan I must add that the results varied a > lot from one day to another from updating the models when scanning active > processes. > For reference, as of today it does flag my Hyprland, XWayland, > NetworkManager Applet and the entirety of Steam as "100% hostile". > Sometimes reasons are provided, sometimes one is left with only the > "MAL-ECULE" which probably contains everything one does need to know to > acknowledge how it came to the conclusion that something is suspicious or > hostile. But unlike the demonstration with the Atomdrift Lab that was > posted earlier that meticulously discloses how every individual finding in > the PKGBUILD was used to come to a conclusion, that type of transparency > seems to be currently missing in ascan, or at least I am unaware on how to > reproduce it. Not exactly optimal for evaluation if manual intervention is > required. > Agreed. I'll see about improving this; the way it's coded right now is if it knows there is a specifically located attribute; it shows it, but if the outcome is based on metrics, it doesn't display anything. The CLI tool provides detailed teardowns is seperate from the more end-user oriented scanner: https://codeberg.org/atomdrift/cleave While I wasn't able to reproduce this inconsistencies with scanning actual > AUR Git Clones that I happened to have laying around, it got me wondering > whenever this situation only exists with false-positives or if we also have > to keep false-negatives in mind. I wasn't going to risk to test with actual > malware on my system, but all of that got me thinking that it could add a > lot of additional work for the user when the target audience of the attack > has likely been to go for people that are blindly installing AUR Packages > without reading the PKGBUILD. So I am currently not sure if this is the > answer to our problems, at least on on the user's side. > I agree - the project is very much a work in progress; and I'm here to help isolate the false-positives. There is a lever in the mean-time you can use to set a very strict false-positive level: -l0 > The idea of integrating Atomdrift into the AUR does sound interesting but > I honestly lack insight to evaluate that. Maybe ascan is a lot better at > dealing with file scanning than with processes, or when using the > `--interpret` option to ask another Local LLM, or doesn't struggle with > false-negatives. But that requires more resourceful people to figure out. I > am still figuring out myself how I wanna improve my own approach to > building packages more reliably to catch missing dependencies or dodging > weird quirks of my main system... > > I hope this contributes anything meaningful to the discussion, > It does! Thank you for sharing your experience. If you run into any false-positives that should be addressed, please feel welcome to e-mail them to me or open a bug at https://codeberg.org/atomdrift/scan > PureFallen > > P.S. I apologize Pasha for the duplicate E-Mail; I ended up sending it > directly to you instead of the mailing list the first time. > >
