Avast may detect install.sh as infected by malware "BV:Downloader-Apk [Drp]". It's not.

[jasoncavinder]

TLDR: It's not malware. If you got here via Google, it's safe to "Create Exception".

While installing via cargo install zoxide --locked, Avast interrupted the install with an alert that read, "install.sh is infected with malware: BV:Downloader-Apk [Drp]". The file in question was: ~/.cargo/registry/src/index.crates.io-6f17d22bba15001f/zoxide-0.9.3/install.sh.

I read the local script file that triggered the Avast File Shield alert and it 100% matches install.sh from this repo, so I'm 100% confident the script was not tampered with and that it is free from any malware, meaning that this is a false positive detection by Avast based on the combinations of curl, wget, tar, unzip, and local code/binary executions appearing similar in behavior to malicious scripts.

I'm posting this here to assuage any worries of anyone who might encounter this (or similar) alerts from antivirus software, and to ensure them that it's safe to create an exception with their AV to allow the install (at least as of my review today of version 0.9.3).

However, I do have some thoughts regarding how to minimize AV false positives, and thus avoid distrust by new users, if desired:

1. Report the false positive: Already done for Avast, additional reports probably aren't necessary, but here's the link for Avast. https://www.avast.com/en-us/false-positive-file-form.php#mac. If anyone gets this false positive on other AV software, please report the false positive accordingly.
2. 'Announce' download with more information: Insert an echo line after local _releases to print information about the download before it happens. This may 'reassure' any antivirus software that the download is safe since it's being announced to the user with detailed information and from a trusted source before executing the download.
3. Implement checksums: Modify release.yml to include checksum generation and include a checksum.txt for each release. Modify install.sh to also download checksum.txt and verify. Inclusion of security checks like this in the install script may lower the potential for false positives by antivirus heuristics.
4. Implement GPG signatures: Generate GPG keys and upload the public GPG key to @ajeetdsouza's GitHub account. For each binary/archive in a release, create a signed checksum file (i.e. files.tar.gz.asc), to include in the release. Modify install.sh to also download the appropriate .asc and verify the signature (or fall back to basic checksum verification if the user's system isn't configured for verifying GPG). Additional security steps like this should further lessen the likelihood of AV false positives.

I did not create an issue for this, since it's possible that this issue is adequately addressed by my false positive report to Avast and by this discussion post getting indexed into Google/Bing/etc. In that case, I don't want to bother the maintainer(s) with a non-issue. However, if further discussion indicates that this should be addressed, then I'd be willing to open an issue, implement any suggestions, and create a PR. Cheers.