* Cygwin setup reporter as malware @ 2022-12-07 16:20 Sylwester Rutkowski 2022-12-07 21:54 ` Dan Harkless 2022-12-08 0:46 ` Bill Stewart 0 siblings, 2 replies; 6+ messages in thread From: Sylwester Rutkowski @ 2022-12-07 16:20 UTC (permalink / raw) To: cygwin Hi, The setup-x86_64.exe is reported as malicious at https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection Can this be resolved somehow? Thanks, Sylwester ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Cygwin setup reporter as malware 2022-12-07 16:20 Cygwin setup reporter as malware Sylwester Rutkowski @ 2022-12-07 21:54 ` Dan Harkless 2022-12-09 11:39 ` Oskar Skog 2022-12-08 0:46 ` Bill Stewart 1 sibling, 1 reply; 6+ messages in thread From: Dan Harkless @ 2022-12-07 21:54 UTC (permalink / raw) To: cygwin On 12/7/2022 8:20 AM, Sylwester Rutkowski via Cygwin wrote:Hi, > The setup-x86_64.exe is reported as malicious at https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection > > Can this be resolved somehow? No. It's normal and common for software like Cygwin, which has the power to be used maliciously (as opposed to, say, a Minesweeper game or something), to have false positives on VirusTotal for a handful of vendors. I've never heard of SecureAge or Trapmine (hmm, maybe it *would* flag Minesweeper...), and I'm pretty well educated in the anti-malware space, so if it were me, I'd just ignore those false positives and pay attention to the credible AV software results (and the Community Score). If you have some corporate policy requiring things to have 0 detections on VirusTotal or something, your only recourse is to contact the SecureAge and Trapmine vendors and convince them somehow to fix their false positives. -- Dan Harkless http://harkless.org/dan/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Cygwin setup reporter as malware 2022-12-07 21:54 ` Dan Harkless @ 2022-12-09 11:39 ` Oskar Skog 2022-12-09 17:51 ` Dan Harkless 0 siblings, 1 reply; 6+ messages in thread From: Oskar Skog @ 2022-12-09 11:39 UTC (permalink / raw) To: cygwin [-- Attachment #1.1.1: Type: text/plain, Size: 827 bytes --] On 2022-12-07 23:54, Dan Harkless via Cygwin wrote: > No. It's normal and common for software like Cygwin, which has the > power to be used maliciously (as opposed to, say, a Minesweeper game or > something), to have false positives on VirusTotal for a handful of > vendors. I've never heard of SecureAge or Trapmine (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well educated in the > anti-malware space, so if it were me, I'd just ignore those false > positives and pay attention to the credible AV software results (and the > Community Score). You may have thought you were joking, but... https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 This is not just *a* minesweeper game, it is *the* minesweeper game from Window XP. [-- Attachment #1.1.2: OpenPGP public key --] [-- Type: application/pgp-keys, Size: 2485 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 665 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Cygwin setup reporter as malware 2022-12-09 11:39 ` Oskar Skog @ 2022-12-09 17:51 ` Dan Harkless 2022-12-09 18:49 ` Christian Franke 0 siblings, 1 reply; 6+ messages in thread From: Dan Harkless @ 2022-12-09 17:51 UTC (permalink / raw) To: cygwin On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote: > On 2022-12-07 23:54, Dan Harkless via Cygwin wrote: > > > No. It's normal and common for software like Cygwin, which has the > > power to be used maliciously (as opposed to, say, a Minesweeper game or > > something), to have false positives on VirusTotal for a handful of > > vendors. I've never heard of SecureAge or Trapmine (hmm, maybe it > > *would* flag Minesweeper...), and I'm pretty well educated in the > > anti-malware space, so if it were me, I'd just ignore those false > > positives and pay attention to the credible AV software results (and the > > Community Score). > > You may have thought you were joking, but... > > https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 > > This is not just *a* minesweeper game, it is *the* minesweeper game > from Window XP. LOL! You're right, I'd never heard about that, and was just using Minesweeper as an obviously safe example program. And whaddaya know, it's SecureAge and Trapmine (oy!) that "flag" it. I guess the lesson is to always ignore SecureAge and Trapmine results on VirusTotal, and the OP should suggest VirusTotal drop those two from their AV software suite. Thanks for the amusing link, Oskar. -- Dan Harkless http://harkless.org/dan/ ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Cygwin setup reporter as malware 2022-12-09 17:51 ` Dan Harkless @ 2022-12-09 18:49 ` Christian Franke 0 siblings, 0 replies; 6+ messages in thread From: Christian Franke @ 2022-12-09 18:49 UTC (permalink / raw) To: cygwin Dan Harkless via Cygwin wrote: > On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote: >> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote: >> >> > No. It's normal and common for software like Cygwin, which has the >> > power to be used maliciously (as opposed to, say, a Minesweeper >> game or > something), to have false positives on VirusTotal for a >> handful of > vendors. I've never heard of SecureAge or Trapmine >> (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well >> educated in the > anti-malware space, so if it were me, I'd just >> ignore those false > positives and pay attention to the credible AV >> software results (and the > Community Score). >> >> You may have thought you were joking, but... >> >> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 >> >> >> This is not just *a* minesweeper game, it is *the* minesweeper game >> from Window XP. > > LOL! You're right, I'd never heard about that, and was just using > Minesweeper as an obviously safe example program. And whaddaya know, > it's SecureAge and Trapmine (oy!) that "flag" it. I guess the lesson > is to always ignore SecureAge and Trapmine results on VirusTotal, and > the OP should suggest VirusTotal drop those two from their AV software > suite. > > Thanks for the amusing link, Oskar. Amusing, indeed. This was less amusing: After I released this file Dec 30, 2018, it scored 7/67 and then 13/70 a few hours later, including well-known AV vendors: https://www.virustotal.com/gui/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe After FP reports to several vendors, it slowly dropped down to 1-2 detections until March 2019. Experience since then suggests that some noise of ~2 detections from not well-known AV is normal. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Cygwin setup reporter as malware 2022-12-07 16:20 Cygwin setup reporter as malware Sylwester Rutkowski 2022-12-07 21:54 ` Dan Harkless @ 2022-12-08 0:46 ` Bill Stewart 1 sibling, 0 replies; 6+ messages in thread From: Bill Stewart @ 2022-12-08 0:46 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 421 bytes --] On Wed, Dec 7, 2022 at 9:21 AM Sylwester Rutkowski wrote: The setup-x86_64.exe is reported as malicious at > https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection > > Can this be resolved somehow? This is, of course, a false positive. There are basically two things you can do: 1. Exempt it from your scanner. 2. Report it to the vendor as a false positive. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-12-09 18:49 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-12-07 16:20 Cygwin setup reporter as malware Sylwester Rutkowski 2022-12-07 21:54 ` Dan Harkless 2022-12-09 11:39 ` Oskar Skog 2022-12-09 17:51 ` Dan Harkless 2022-12-09 18:49 ` Christian Franke 2022-12-08 0:46 ` Bill Stewart
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).