From: Christian Franke <Christian.Franke@t-online.de>
To: cygwin@cygwin.com
Subject: Re: Cygwin setup reporter as malware
Date: Fri, 9 Dec 2022 19:49:13 +0100 [thread overview]
Message-ID: <7b5543d1-7fe6-64c5-ad48-72ffff48cdd7@t-online.de> (raw)
In-Reply-To: <65ad5397-2de1-87e1-d747-bcb1b4fc6e70@harkless.org>
Dan Harkless via Cygwin wrote:
> On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote:
>> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote:
>>
>> > No. It's normal and common for software like Cygwin, which has the
>> > power to be used maliciously (as opposed to, say, a Minesweeper
>> game or > something), to have false positives on VirusTotal for a
>> handful of > vendors. I've never heard of SecureAge or Trapmine
>> (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well
>> educated in the > anti-malware space, so if it were me, I'd just
>> ignore those false > positives and pay attention to the credible AV
>> software results (and the > Community Score).
>>
>> You may have thought you were joking, but...
>>
>> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41
>>
>>
>> This is not just *a* minesweeper game, it is *the* minesweeper game
>> from Window XP.
>
> LOL! You're right, I'd never heard about that, and was just using
> Minesweeper as an obviously safe example program. And whaddaya know,
> it's SecureAge and Trapmine (oy!) that "flag" it. I guess the lesson
> is to always ignore SecureAge and Trapmine results on VirusTotal, and
> the OP should suggest VirusTotal drop those two from their AV software
> suite.
>
> Thanks for the amusing link, Oskar.
Amusing, indeed.
This was less amusing: After I released this file Dec 30, 2018, it
scored 7/67 and then 13/70 a few hours later, including well-known AV
vendors:
https://www.virustotal.com/gui/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe
After FP reports to several vendors, it slowly dropped down to 1-2
detections until March 2019.
Experience since then suggests that some noise of ~2 detections from not
well-known AV is normal.
next prev parent reply other threads:[~2022-12-09 18:49 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 16:20 Sylwester Rutkowski
2022-12-07 21:54 ` Dan Harkless
2022-12-09 11:39 ` Oskar Skog
2022-12-09 17:51 ` Dan Harkless
2022-12-09 18:49 ` Christian Franke [this message]
2022-12-08 0:46 ` Bill Stewart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7b5543d1-7fe6-64c5-ad48-72ffff48cdd7@t-online.de \
--to=christian.franke@t-online.de \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).