github-starred/frp
2
0
Fork 0
mirror of https://github.com/fatedier/frp.git synced 2026-05-15 08:05:49 -06:00
Code Issues 40 Projects Packages Wiki Activity Actions 1

[GH-ISSUE #3637] [Feature Request] Add FRP antivirus note to documentation/README, maybe make FRP more visible on windows. #2903

New issue
Closed
opened 2026-05-05 13:52:30 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 13:52:30 -06:00
Owner
Copy link

Originally created by @ZeroVocabulary on GitHub (Oct 1, 2023).
Original GitHub issue: https://github.com/fatedier/frp/issues/3637

Describe the feature request

FRP is a reverse proxy, which has good uses, but is also useful for getting past firewalls and security.

There are reports of malware using FRP to communicate so that they are not as easily identified:

On a VirusTotal scan, you can see from the naming that some antiviruses are simply detecting it because of the utility for malware even though the antivirus vendors know it is not malware.

  • ESET-NOD32: A Variant Of WinGo/Riskware.Frp.C
  • Kaspersky: Not-a-virus:VHO:NetTool.Win64.Convagent.gen
  • Sophos: Mal/Generic-S + Fast Reverse Proxy (PUA)
  • Symantec: FastReverseProxy
  • Zillya: Tool.Frp.Win64.41
  • ZoneAlarm by Check Point: Not-a-virus:VHO:NetTool.Win64.Convagent.gen

etc.

Because of this, I doubt that it will stop being detected, and the likely best outcome is FRP still getting detected but marked as Not-a-virus, HackTool, Riskware, etc. so that users are not scared.

The documentation/readme should mention this in order to avoid confusion, particularly for windows users.

Maybe visibility on windows could also be increased, but it might make it uglier/be a distraction. For example, an icon could appear in the system tray or taskbar when FRPC is running, which would make malware authors more likely to avoid using it.

Describe alternatives you've considered

No response

Affected area

  • Docs
  • Installation
  • Performance and Scalability
  • Security
  • User Experience
  • Test and Release
  • Developer Infrastructure
  • Client Plugin
  • Server Plugin
  • Extensions
  • Others
Originally created by @ZeroVocabulary on GitHub (Oct 1, 2023). Original GitHub issue: https://github.com/fatedier/frp/issues/3637 ### Describe the feature request FRP is a reverse proxy, which has good uses, but is also useful for getting past firewalls and security. There are reports of malware using FRP to communicate so that they are not as easily identified: - [Attackers Using FRP (Fast Reverse Proxy) to Attack Korean Companies](https://asec.ahnlab.com/en/38156/) - [Fast Reverse Proxy Backdoor Analysis Report (IRIS-13302)](https://exchange.xforce.ibmcloud.com/malware-analysis/guid:b497d8b143527c504e4b00f232bfde7d) On a [VirusTotal scan](https://www.virustotal.com/gui/file/cb8eeea742b5ab61a1f4cd4394d9ee894766177c4fa4d429f8802a153421b83b/detection), you can see from the naming that some antiviruses are simply detecting it because of the utility for malware even though the antivirus vendors know it is not malware. - ESET-NOD32: A Variant Of WinGo/Riskware.Frp.C - Kaspersky: Not-a-virus:VHO:NetTool.Win64.Convagent.gen - Sophos: Mal/Generic-S + Fast Reverse Proxy (PUA) - Symantec: FastReverseProxy - Zillya: Tool.Frp.Win64.41 - ZoneAlarm by Check Point: Not-a-virus:VHO:NetTool.Win64.Convagent.gen etc. Because of this, I doubt that it will stop being detected, and the likely best outcome is FRP still getting detected but marked as Not-a-virus, HackTool, Riskware, etc. so that users are not scared. The documentation/readme should mention this in order to avoid confusion, particularly for windows users. Maybe visibility on windows could also be increased, but it might make it uglier/be a distraction. For example, an icon could appear in the system tray or taskbar when FRPC is running, which would make malware authors more likely to avoid using it. ### Describe alternatives you've considered _No response_ ### Affected area - [X] Docs - [X] Installation - [ ] Performance and Scalability - [ ] Security - [X] User Experience - [ ] Test and Release - [ ] Developer Infrastructure - [X] Client Plugin - [ ] Server Plugin - [ ] Extensions - [ ] Others
gitea-mirror 2026-05-05 13:52:30 -06:00
  • closed this issue
  • added the
    todo
         label
gitea-mirror commented 2026-05-05 13:52:33 -06:00
Author
Owner
Copy link

@fatedier commented on GitHub (Oct 9, 2023):

Can you commit a PR to update the README?

<!-- gh-comment-id:1752264201 --> @fatedier commented on GitHub (Oct 9, 2023): Can you commit a PR to update the README?
gitea-mirror commented 2026-05-05 13:52:34 -06:00
Author
Owner
Copy link

@nirui commented on GitHub (Oct 9, 2023):

Hi, @fatedier, can you give the reports a closer look?

Apparently some features offered by FRP also made it a good tool for by hackers to facilitate actual attacks.

While changing the README is necessary to make users aware of the anti-virus situation before download/deploy, fundamentally something has to be changed in order to make this software less useful for attackers.

Showing an icon in the Windows system tray could be useful, but I'm afraid not to the degree that we might have hoped, since the analysis hosted on IBM X-Force Exchange suggested that the attacker might deploy their own fork of FRP with it's source code modified to help with their attacks. This in turn suggests that the attacker might also just remove whatever stinker code you put into FRP.

Maybe you can ship two versions? One open sourced one with limited forwarding capabilities (can only proxy specific protocols such as HTTP/HTTPS/FTP etc), and a close-sourced one with capability of relaying arbitrary TCP/UDP connections under numbers of hard restrictions (for example, hardcoded destination/port allowlist/blocklist).

Maybe you can also sell the close-sourced one for a profit too, which might help improve the personal situation that you've mentioned in the README file.

<!-- gh-comment-id:1752345141 --> @nirui commented on GitHub (Oct 9, 2023): Hi, @fatedier, can you give the reports a closer look? Apparently some features offered by FRP also made it a good tool for by hackers to facilitate actual attacks. While changing the README is necessary to make users aware of the anti-virus situation before download/deploy, fundamentally something has to be changed in order to make this software less useful for attackers. Showing an icon in the Windows system tray could be useful, but I'm afraid not to the degree that we might have hoped, since the analysis hosted on IBM X-Force Exchange suggested that the attacker might deploy their own fork of FRP with it's source code modified to help with their attacks. This in turn suggests that the attacker might also just remove whatever stinker code you put into FRP. Maybe you can ship two versions? One open sourced one with limited forwarding capabilities (can only proxy specific protocols such as HTTP/HTTPS/FTP etc), and a close-sourced one with capability of relaying arbitrary TCP/UDP connections under numbers of hard restrictions (for example, hardcoded destination/port allowlist/blocklist). Maybe you can also sell the close-sourced one for a profit too, which might help improve the personal situation that you've mentioned in the README file.
gitea-mirror commented 2026-05-05 13:52:35 -06:00
Author
Owner
Copy link

@ZeroVocabulary commented on GitHub (Oct 9, 2023):

The reason for detections is that reverse proxies are used to bypass firewalls/port restrictions (whether that be for legitimate or malicious reasons). Reverse proxies are the core feature of frp, so I don't think it is possible/realistic to reduce the usefulness to malware by removing features. I don't think the protocols matter; malware can easily switch and its a huge restriction for users.

With regards to forking/modifications, forcing malware authors to modify the program allows antivirus to flag the modification rather than the whole program. Beyond that, code signing/certification could be used to stop the files from being modified.

I'm not sure it is worth trying too hard to remove detection/appease AV via modifications, as AV vendors probably will not care. If I were managing a company's computers/network, I would prefer that these tools be flagged and require approval from admin/IT for use, which is probably the mindset the AV vendors have here. The fact that some AVs already mark it as not-a-virus shows that they know it is not malware but still wish to restrict it anyway due to its capabilities.

For the English readme update, I added a small addition to the examples (installation) section informing users about the problem. I linked this issue if people want further information.

I guess the issue can remain open after the readme change if the maintainers think more discussions/improvements can be done. Two improvements I like are:

  1. Visibility improvements as mentioned earlier (taskbar icon), and code signing. Unfortunately, I am unfamiliar with code signing, Go, and Windows Api's, but I believe this can be used to add an icon: Shell_NotifyIconA. There is some information about code signing/certificates on this page.
  2. Communicating with antivirus companies and asking them to either stop flagging frp or to flag frp with a less dangerous-sounding message i.e.. not-a-virus, NetTool, HackTool, Riskware etc. This page has a list of vendors and ways to contact them

I might try to do # 2 (will make a new issue if I do).

<!-- gh-comment-id:1752439857 --> @ZeroVocabulary commented on GitHub (Oct 9, 2023): The reason for detections is that reverse proxies are used to bypass firewalls/port restrictions (whether that be for legitimate or malicious reasons). Reverse proxies are the core feature of frp, so I don't think it is possible/realistic to reduce the usefulness to malware by removing features. I don't think the protocols matter; malware can easily switch and its a huge restriction for users. With regards to forking/modifications, forcing malware authors to modify the program allows antivirus to flag the modification rather than the whole program. Beyond that, code signing/certification could be used to stop the files from being modified. I'm not sure it is worth trying too hard to remove detection/appease AV via modifications, as AV vendors probably will not care. If I were managing a company's computers/network, I would prefer that these tools be flagged and require approval from admin/IT for use, which is probably the mindset the AV vendors have here. The fact that some AVs already mark it as not-a-virus shows that they know it is not malware but still wish to restrict it anyway due to its capabilities. For the English readme update, I added a small addition to the examples (installation) section informing users about the problem. I linked this issue if people want further information. I guess the issue can remain open after the readme change if the maintainers think more discussions/improvements can be done. Two improvements I like are: 1. Visibility improvements as mentioned earlier (taskbar icon), and code signing. Unfortunately, I am unfamiliar with code signing, Go, and Windows Api's, but I believe this can be used to add an icon: [Shell_NotifyIconA](https://learn.microsoft.com/en-us/windows/win32/api/shellapi/nf-shellapi-shell_notifyicona). There is some information about code signing/certificates on this [page](https://github.com/hankhank10/false-positive-malware-reporting#another-good-idea-get-a-digital-certificate). 2. Communicating with antivirus companies and asking them to either stop flagging frp or to flag frp with a less dangerous-sounding message i.e.. not-a-virus, NetTool, HackTool, Riskware etc. [This page has a list of vendors and ways to contact them](https://github.com/yaronelh/False-Positive-Center) I might try to do # 2 (will make a new issue if I do).
gitea-mirror commented 2026-05-05 13:52:35 -06:00
Author
Owner
Copy link

@nirui commented on GitHub (Oct 9, 2023):

The reason for detections is that reverse proxies are used to bypass firewalls/port restrictions (whether that be for legitimate or malicious reasons).

I understand the thinking, but I couldn't agree with the conclusion, since there are other reverse proxies out there, and antivirus software is giving them a complete different treatment.

For example, cloudflared can too facilitate reverse proxying while not been marked as any risk according to this VirusTotal report, the same is true for Inlets Pro and ngrok.exe too.

All of those are reverse proxies, Inlets Pro even allows you to self-host, just like FRP. So what is the different that made FRP (and NPS actually) a target? Or, to put it into other words, why hackers used FRP, not Inlets or cloudflared or ngrok or even just good old socat?

<!-- gh-comment-id:1752487816 --> @nirui commented on GitHub (Oct 9, 2023): > The reason for detections is that reverse proxies are used to bypass firewalls/port restrictions (whether that be for legitimate or malicious reasons). I understand the thinking, but I couldn't agree with the conclusion, since there are other reverse proxies out there, and antivirus software is giving them a complete different treatment. For example, `cloudflared` can too facilitate reverse proxying while not been marked as any risk according to [this VirusTotal report], the same is true for [`Inlets Pro`] and [`ngrok.exe`] too. [this VirusTotal report]: https://www.virustotal.com/gui/url/094d93a40e25521711ae54833d21fe501b8ee10c76a10c126e13e9c61d0f64f6 [`Inlets Pro`]: https://www.virustotal.com/gui/url/221bbce39a00310e2f178ba57366f2de2e6a65d414c2104ca76c1945702be2bf [`ngrok.exe`]: https://www.virustotal.com/gui/file/a1a26778656c5215ab1d939ebd9088827f69923ecf53a503b04bb504fdb97752 All of those are reverse proxies, Inlets Pro even allows you to self-host, just like FRP. So what is the different that made FRP (and NPS actually) a target? Or, to put it into other words, why hackers used FRP, not Inlets or `cloudflared` or `ngrok` or even just good old `socat`?
gitea-mirror commented 2026-05-05 13:52:36 -06:00
Author
Owner
Copy link

@Wyk72 commented on GitHub (Oct 21, 2023):

Or, to put it into other words, why hackers used FRP, not Inlets or cloudflared or ngrok or even just good old socat?

Well, because frp is smaller, faster and easier to deploy. And it's basically freeware, ngrok is commercial and they will file lawsuits if they mark it as malicious, because it will END the company in one day. It's all about corporate mentality.

Anyway this AV issue will never go away.

The only solution/workaround I found for this is by using a (rather convolute) WSL2 approach i.e. run frpc/frps into this Linux layer they built into Windows.

100% legit.

P.S.

Anti-viruses and "security softwares" are the NEW SOFTWARE MAFIA/MOB.

<!-- gh-comment-id:1773713854 --> @Wyk72 commented on GitHub (Oct 21, 2023): _Or, to put it into other words, why hackers used FRP, not Inlets or cloudflared or ngrok or even just good old socat?_ Well, because frp is smaller, faster and easier to deploy. And it's basically freeware, ngrok is commercial and they will file lawsuits if they mark it as malicious, because it will END the company in one day. It's all about corporate mentality. Anyway this AV issue will never go away. The only solution/workaround I found for this is by using a (rather convolute) WSL2 approach i.e. run frpc/frps into this Linux layer they built into Windows. 100% legit. P.S. Anti-viruses and "security softwares" are the NEW SOFTWARE MAFIA/MOB.
gitea-mirror commented 2026-05-05 13:52:37 -06:00
Author
Owner
Copy link

@Andrewlilei commented on GitHub (Jan 17, 2024):

@Wyk72 , I tried to run frpc in WSL2 using latest 0.53.2_linux_amd64, but when I run frpc, it tells me :
-bash: ./frpc: cannot execute binary file: Exec format error.
Do you encountered this and how to solve it? Thanks

<!-- gh-comment-id:1895652629 --> @Andrewlilei commented on GitHub (Jan 17, 2024): @Wyk72 , I tried to run frpc in WSL2 using latest 0.53.2_linux_amd64, but when I run frpc, it tells me : -bash: ./frpc: cannot execute binary file: Exec format error. Do you encountered this and how to solve it? Thanks
gitea-mirror commented 2026-05-05 13:52:37 -06:00
Author
Owner
Copy link

@Misiu commented on GitHub (Oct 10, 2025):

Is there a way to make FRPC not detectable by antivirus?
I can recompile FRPC and sign the exe file (I need it for Windows) with EV Code Signing, but I'm not sure if this will help, especially since the cert is expensive.

<!-- gh-comment-id:3388583624 --> @Misiu commented on GitHub (Oct 10, 2025): Is there a way to make FRPC not detectable by antivirus? I can recompile FRPC and sign the exe file (I need it for Windows) with EV Code Signing, but I'm not sure if this will help, especially since the cert is expensive.
gitea-mirror commented 2026-05-05 13:52:39 -06:00
Author
Owner
Copy link

@nirui commented on GitHub (Oct 10, 2025):

Anyway this AV issue will never go away.

The only solution/workaround I found for this is by using a (rather convolute) WSL2 approach i.e. run frpc/frps into this Linux layer they built into Windows.

I stopped replying after @fatedier closed this issue as completed. The problem about WSL approach is that, some anti-virius software is also targeting FRP's Linux binaries.

But... it looked like people are still finding this problem interesting, so I got one idea.

Since the hackers often used modified versions of FRP, maybe this problem can be resolved by:

  1. Making it so FRP binaries can only be deployed by admin, and can only be run by admin or admin-delegated users.

    This can be done through restricting the location of the FRP binaries, and enforcing an user group check run before serving. For example, refuse to run unless the application is deployed under /user/bin/frp and the user trying to run it belongs to the frp user group.

    Normally hackers can't neither write files to /user/bin/ or creating user group, so even if they got the shell, they still can't run officially distributed FRP.

    If hacker got the root privilege to deploy FRP correctly on the server, then it's an admin/user negligent, not a fault on the FRP side at all.

  2. After Point 1 is achieved, code-signing all officially disturbed FRP binaries with a publicly valid certificate. This ensures that the binary cannot be tampered by hackers, and thus the protections put in place in Point 1 cannot be bypassed.

    Doing this might be expensive, but under the circumstance maybe wroth a try.

Doing so demonstrates FRP's willingness to prevent malicious usages, and also allow anti-virus software to better target actual bad-acting FRP binaries.

This should already clear FRP's name, if not, it could also gave FRP some leverage if a law sue is warranted.

All and all, justice is not a given, when injustice falls upon you, don't just sit there and cry, pick up everything you can and fight.

<!-- gh-comment-id:3389134045 --> @nirui commented on GitHub (Oct 10, 2025): > Anyway this AV issue will never go away. > > The only solution/workaround I found for this is by using a (rather convolute) WSL2 approach i.e. run frpc/frps into this Linux layer they built into Windows. I stopped replying after @fatedier closed this issue as completed. The problem about WSL approach is that, some anti-virius software is also targeting FRP's Linux binaries. But... it looked like people are still finding this problem interesting, so I got one idea. Since the hackers often used modified versions of FRP, maybe this problem can be resolved by: 1. **Making it so FRP binaries can only be deployed by admin, and can only be run by admin or admin-delegated users.** This can be done through restricting the location of the FRP binaries, and enforcing an user group check run before serving. For example, refuse to run unless the application is deployed under `/user/bin/frp` and the user trying to run it belongs to the `frp` user group. Normally hackers can't neither write files to `/user/bin/` or creating user group, so even if they got the shell, they still can't run *officially distributed* FRP. If hacker got the root privilege to deploy FRP correctly on the server, then it's an admin/user negligent, not a fault on the FRP side at all. 2. After Point 1 is achieved, **code-signing all officially disturbed FRP binaries with a publicly valid certificate.** This ensures that the binary cannot be tampered by hackers, and thus the protections put in place in Point 1 cannot be bypassed. Doing this might be expensive, but under the circumstance maybe wroth a try. Doing so demonstrates FRP's willingness to prevent malicious usages, and also allow anti-virus software to better target actual bad-acting FRP binaries. This should already clear FRP's name, if not, it could also gave FRP some leverage if a law sue is warranted. All and all, justice is not a given, when injustice falls upon you, don't just sit there and cry, pick up everything you can and fight.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
new
master
copilot/review-pull-request-5198
v0.68.1
v0.68.0
v0.67.0
v0.66.0
v0.65.0
v0.64.0
v0.63.0
v0.62.1
v0.62.0
v0.61.2
v0.61.1
v0.61.0
v0.60.0
v0.59.0
v0.58.1
v0.58.0
v0.57.0
v0.56.0
v0.55.1
v0.55.0
v0.54.0
v0.53.2
v0.53.1
v0.53.0
v0.52.3
v0.52.2
v0.52.1
v0.52.0
v0.51.3
v0.51.2
v0.51.1
v0.51.0
v0.50.0
v0.49.0
v0.48.0
v0.47.0
v0.46.1
v0.46.0
v0.45.0
v0.44.0
v0.43.0
v0.42.0
v0.41.0
v0.40.0
v0.39.1
v0.39.0
v0.38.0
v0.37.1
v0.37.0
v0.36.2
v0.36.1
v0.36.0
v0.35.1
v0.35.0
v0.34.3
v0.34.2
v0.34.1
v0.34.0
v0.33.0
v0.32.1
v0.32.0
v0.31.2
v0.31.1
v0.31.0
v0.30.0
v0.29.1
v0.29.0
v0.28.2
v0.28.1
v0.28.0
v0.27.1
v0.27.0
v0.26.0
v0.25.3
v0.25.2
v0.25.1
v0.25.0
v0.24.1
v0.24.0
v0.23.3
v0.23.2
v0.23.1
v0.23.0
v0.22.0
v0.21.0
v0.20.0
v0.19.1
v0.19.0
v0.18.0
v0.17.0
v0.16.1
v0.16.0
v0.15.1
v0.15.0
v0.14.1
v0.14.0
v0.13.0
v0.12.0
v0.11.0
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.0
v0.6.0
v0.5.0
v0.3.0
v0.2.0
v0.1.0
Labels
Clear labels   
In Progress

   
WIP

   
WaitingForInfo

   
bug

   
doc

   
duplicate

   
easy

   
enhancement

   
future

   
help wanted

   
invalid

   
lifecycle/stale

   
need-issue-template

   
need-usage-help

   
no plan

   
proposal

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
todo
No labels
In Progress
WIP
WaitingForInfo
bug
doc
duplicate
easy
enhancement
future
help wanted
invalid
lifecycle/stale
need-issue-template
need-usage-help
no plan
proposal
pull-request
question
todo
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/frp#2903
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?