Back to GDNet Lounge

Github and Viruses

GDNet Lounge Community

Started by Josheir October 12, 2019 06:14 PM

13 comments, last by allrts dot com 4 years, 5 months ago

Josheir

489

Author

October 12, 2019 06:14 PM

I'm wondering how everyone is staying virus/ransomware free using GitHub. From what I've heard GitHub checks for corrupt files but "bits and pieces get through." Someone also said they thought I would be alright if I use Windows Defender and Malware Bytes. Another person suggested using a really great $100 dollar virus program that would check live. Online it was suggested that the best protection is that the file is checked when "pulled onto the client" and "use external scans" What is the best defense, and what programs will scan the "pulled GitHub source files" live?

- Josh -

Prototype

2,097

October 12, 2019 07:34 PM

I've never heard of this problem. Do you mean like embedded executables inside the repo or something? Other than that I don't see how you could contract a virus from downloading a bunch of text files. Frankly, I have never used any antivirus software at all, besides perhaps the standard Defender on Windows.

JoeJ

4,183

October 12, 2019 07:38 PM

Yeah, people mostly avoid uploading executables or dlls. So no virueses, but a lot of fun to build all those dependencies yourself.

Green_Baron

221

October 12, 2019 07:42 PM

I have never caught a virus or any malware i knew of in my life and i am reaching towards the 60s.

Her's my how-to:

Git: I don't clone (not even my own rep, i just push), i download zips and expand them somewhere.

I never use a virus checker. I regard them as viral themselves.

I do not open emails that i do not know of where they come from.

I do not click on something that i do not know where it leads to. If it redirects (and isn't a well reputed site) i leave it.

No social networks.

I am on Linux.

I do not update when some software tells me to do.

I don't install software that demands any privileges. So, no unity, sorry ...

That has, until now, been enough to keep my stuff malware free (edit: to my knowledge). Bu of course it doesn't take care what other sites (bank, insurance, telephone company, etc.) do with my data. But that i have to accept ...

Concerning git: i am only interested in the sources and the way people address certain programming problems and tasks. So there is no real risk of catching something.

DerTroll

252

October 12, 2019 10:32 PM

2 hours ago, Green_Baron said:

I never use a virus checker.

2 hours ago, Green_Baron said:

That has, until now, been enough to keep my stuff malware free (edit: to my knowledge)

Hrhr... reminds me a little bit of children who close their eyes and tell themselves that you can't see them because they can't see you. ?

Using Linux and staying away from doubious sites is already a good protection but still not 100% safe.

Regarding Github: I would only clone popular Repos where you can be sure that it is maintained by trustworthy people. Not because I am afraid of Malware/Viruses but of wasting my time with badly written code. Low risks of catching a virus via Github is a bonus of this approach.

Greetings

Josheir

489

Author

October 16, 2019 04:41 PM

On ‎10‎/‎12‎/‎2019 at 6:32 PM, DerTroll said:

Low risks of catching a virus via Github is a bonus of this approach.

This and the comment about not cloning the repo caught my eye. I thought from the other posts that we don't get viruses from GitHub?

Green_Baron

221

October 16, 2019 09:24 PM

*pullsheadoutofsand*

I would assume that it is at least improbable. That Github performs checks to avoid being obviously contagious because a bad reputation might drive people off. But i doubt one can categorically exclude it.

Can malware be transported and activated through textfiles or images ? I only know rumors, no idea ...

*sticksheadbackintosand* :-)

Prototype

2,097

October 17, 2019 02:03 AM

3 hours ago, Green_Baron said:

Can malware be transported and activated through textfiles or images

That's not an open question, it's simply 'no'. It could however trigger a vulnerability in the software used to open it, as we've seen with the JPG decoder in GDI. That's why it's important to protect your software from buffer overruns and such.

I think the major reason GitHub has this in place is to prevent liability claims, after all you could theoratically download an infected executable with their service. You'd still need to run it yourself in some way though. There is no magic in your file system that lets downloaded files do anything.

slayemin

6,313

October 17, 2019 09:30 AM

Let's put your concerns on github on pause for a moment. I think you need to take a larger step back and look at your security risks and disaster recovery plan. You are worried that a virus could wipe out your data on your computer and you suspect that it's possible to get a virus from github. The bigger problem is that github is not going to be the sole vector for viruses and malware. Your computer could have an unpatched zero-day exploit which lets someone execute remote instructions and load in root kits or other malware. This is always a possibility for any device connected to the internet, regardless of operating system or device type. You can take all of the reasonable precautions in the world, like patching periodically, not running untrusted executables, watching your logs, consistently using AV, etc etc. But there is no such thing as perfect security.

Let's assume your computer *does* get compromised and you experience data loss and can't recover data. The less important question is how you prevent that, and the more important question is how you recover from that disaster. On a more holistic scale, viruses are only one disaster in the set of all disasters which cause data loss. Your building could catch on fire. Someone could burglarize your building and steal your computer. Your hard drive could fail. Your motherboard could fail. You could spill hot coffee all over your computer. A loose heatsink could cause your CPU to melt. You could accidentally delete your project.

The solution to all of this is backups. Back up any data you want to keep! If its important, you should have multiple copies of it and you should anticipate multiple disasters and have contingency plans in place to mitigate their effects. Source control is not a backup. Imagine you spent 50 hours writing a 60 page word document and the whole time, you *never* clicked the save button. There is no autosave. How safe is that word document? Not safe at all! Much like unsaved word documents, running without backups is very risky! My own mantra/policy is, You are only as recent as your last backup.

How often should you backup your data? Assuming the worst case scenario, the real question is "How much data can you afford to lose?". This varies by person and organization. Can you afford to lose a minutes worth of work? an hours worth of work? A days worth of work? A week? A months worth of work? A years worth of work? When you start incrementally looking at the increasing costs of unrecoverable data loss, you get a pretty good idea on what your backup schedule should look like and what the backup process should be. Usually, the less data loss you can afford, the more expensive your disaster recovery solution is going to get.

Usually for indie and small teams, you want to ideally be doing daily backups and at a minimum weekly backups. Just buy a 2-4 Tb hard drive -- they're relatively cheap compared to the cost of data loss. Backup your data, then *disconnect* the hard drive. If you can, get two hard drives and put monthly backups on the second hard drive and keep it off site somewhere (or use a cloud service provider). Periodically, you will want to verify the integrity of your backups -- I've read disaster stories where a large company had an automated backup process in place where data was backed up to tape drives and the printer would print out a report page afterwards. This automated backup process happened for years. Nobody bothered to check the backups. Then a few years later, disaster strikes! Everything is gone. Fortunately, they had been doing backups, right? Well, no. The automated backup system had been printing out a page every single day which said that the backup had failed, and since nobody had bothered to check, there was no backup to restore. The company couldn't recover and they went out of business.

Check.
your.
backups.

If anyone else is reading this, now would be a good time to pause and review your backup policy and disaster mitigation processes. It just takes a few minutes. A handful of game companies have gone under because of no backups. Don't let it be you too!