From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailout02.t-online.de (mailout02.t-online.de [194.25.134.17]) by sourceware.org (Postfix) with ESMTPS id 6C6E23836D16 for ; Fri, 9 Dec 2022 18:49:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6C6E23836D16 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=t-online.de Authentication-Results: sourceware.org; spf=none smtp.mailfrom=t-online.de Received: from fwd78.dcpf.telekom.de (fwd78.aul.t-online.de [10.223.144.104]) by mailout02.t-online.de (Postfix) with SMTP id 7DC1813F26 for ; Fri, 9 Dec 2022 19:49:18 +0100 (CET) Received: from [192.168.2.101] ([87.187.32.177]) by fwd78.t-online.de with (TLSv1.3:TLS_AES_256_GCM_SHA384 encrypted) esmtp id 1p3iQr-0kfdeS0; Fri, 9 Dec 2022 19:49:13 +0100 Subject: Re: Cygwin setup reporter as malware To: cygwin@cygwin.com References: <14e7843a-5829-2c74-313b-13d08b37243e@harkless.org> <6e721522-7e4a-d0d9-f928-4bc6e1b34f3f@oskog97.com> <65ad5397-2de1-87e1-d747-bcb1b4fc6e70@harkless.org> From: Christian Franke Message-ID: <7b5543d1-7fe6-64c5-ad48-72ffff48cdd7@t-online.de> Date: Fri, 9 Dec 2022 19:49:13 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 SeaMonkey/2.53.14 MIME-Version: 1.0 In-Reply-To: <65ad5397-2de1-87e1-d747-bcb1b4fc6e70@harkless.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-TOI-EXPURGATEID: 150726::1670611753-6BFFB9DD-892535C6/0/0 CLEAN NORMAL X-TOI-MSGID: 035ffb32-33ad-474f-b42a-03d22c119aef X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00,FREEMAIL_FROM,KAM_DMARC_STATUS,KAM_LAZY_DOMAIN_SECURITY,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Dan Harkless via Cygwin wrote: > On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote: >> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote: >> >> > No.  It's normal and common for software like Cygwin, which has the >> > power to be used maliciously (as opposed to, say, a Minesweeper >> game or > something), to have false positives on VirusTotal for a >> handful of > vendors.  I've never heard of SecureAge or Trapmine >> (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well >> educated in the > anti-malware space, so if it were me, I'd just >> ignore those false > positives and pay attention to the credible AV >> software results (and the > Community Score). >> >> You may have thought you were joking, but... >> >> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 >> >> >> This is not just *a* minesweeper game, it is *the* minesweeper game >> from Window XP. > > LOL!  You're right, I'd never heard about that, and was just using > Minesweeper as an obviously safe example program.  And whaddaya know, > it's SecureAge and Trapmine (oy!) that "flag" it.  I guess the lesson > is to always ignore SecureAge and Trapmine results on VirusTotal, and > the OP should suggest VirusTotal drop those two from their AV software > suite. > > Thanks for the amusing link, Oskar. Amusing, indeed. This was less amusing: After I released this file Dec 30, 2018, it scored 7/67 and then 13/70 a few hours later, including well-known AV vendors: https://www.virustotal.com/gui/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe After FP reports to several vendors, it slowly dropped down to 1-2 detections until March 2019. Experience since then suggests that some noise of ~2 detections from not well-known AV is normal.