Cygwin setup reporter as malware

Cygwin setup reporter as malware

[Sylwester Rutkowski]

Hi,

The setup-x86_64.exe is reported as malicious at https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection

Can this be resolved somehow?

Thanks,
Sylwester

Re: Cygwin setup reporter as malware

[Dan Harkless]

On 12/7/2022 8:20 AM, Sylwester Rutkowski via Cygwin wrote:Hi,
> The setup-x86_64.exe is reported as malicious at https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection
>
> Can this be resolved somehow?

No.  It's normal and common for software like Cygwin, which has the 
power to be used maliciously (as opposed to, say, a Minesweeper game or 
something), to have false positives on VirusTotal for a handful of 
vendors.  I've never heard of SecureAge or Trapmine (hmm, maybe it 
*would* flag Minesweeper...), and I'm pretty well educated in the 
anti-malware space, so if it were me, I'd just ignore those false 
positives and pay attention to the credible AV software results (and the 
Community Score).

If you have some corporate policy requiring things to have 0 detections 
on VirusTotal or something, your only recourse is to contact the 
SecureAge and Trapmine vendors and convince them somehow to fix their 
false positives.

--
Dan Harkless
http://harkless.org/dan/

Re: Cygwin setup reporter as malware

[Bill Stewart]

[-- Attachment #1: Type: text/plain, Size: 421 bytes --]

On Wed, Dec 7, 2022 at 9:21 AM Sylwester Rutkowski wrote:

The setup-x86_64.exe is reported as malicious at
> https://www.virustotal.com/gui/file/edd0a64dc65087ffe453ca94b267169b39458a983b29ac31320fcaa983d0f97e/detection
>
> Can this be resolved somehow?


This is, of course, a false positive.

There are basically two things you can do:

1. Exempt it from your scanner.

2. Report it to the vendor as a false positive.

Re: Cygwin setup reporter as malware

[Oskar Skog]

[-- Attachment #1.1.1: Type: text/plain, Size: 827 bytes --]

On 2022-12-07 23:54, Dan Harkless via Cygwin wrote:

> No.  It's normal and common for software like Cygwin, which has the 
> power to be used maliciously (as opposed to, say, a Minesweeper game or 
> something), to have false positives on VirusTotal for a handful of 
> vendors.  I've never heard of SecureAge or Trapmine (hmm, maybe it 
> *would* flag Minesweeper...), and I'm pretty well educated in the 
> anti-malware space, so if it were me, I'd just ignore those false 
> positives and pay attention to the credible AV software results (and the 
> Community Score).


You may have thought you were joking, but...

https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41

This is not just *a* minesweeper game, it is *the* minesweeper game
from Window XP.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2485 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 665 bytes --]

Re: Cygwin setup reporter as malware

[Dan Harkless]

On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote:
> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote:
>
> > No.  It's normal and common for software like Cygwin, which has the 
> > power to be used maliciously (as opposed to, say, a Minesweeper game or 
> > something), to have false positives on VirusTotal for a handful of 
> > vendors.  I've never heard of SecureAge or Trapmine (hmm, maybe it 
> > *would* flag Minesweeper...), and I'm pretty well educated in the 
> > anti-malware space, so if it were me, I'd just ignore those false 
> > positives and pay attention to the credible AV software results (and the 
> > Community Score).
>
> You may have thought you were joking, but...
>
> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41
>
> This is not just *a* minesweeper game, it is *the* minesweeper game
> from Window XP.

LOL!  You're right, I'd never heard about that, and was just using 
Minesweeper as an obviously safe example program.  And whaddaya know, 
it's SecureAge and Trapmine (oy!) that "flag" it.  I guess the lesson is 
to always ignore SecureAge and Trapmine results on VirusTotal, and the 
OP should suggest VirusTotal drop those two from their AV software suite.

Thanks for the amusing link, Oskar.

--
Dan Harkless
http://harkless.org/dan/

Re: Cygwin setup reporter as malware

[Christian Franke]

Dan Harkless via Cygwin wrote:
> On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote:
>> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote:
>>
>> > No.  It's normal and common for software like Cygwin, which has the 
>> > power to be used maliciously (as opposed to, say, a Minesweeper 
>> game or > something), to have false positives on VirusTotal for a 
>> handful of > vendors.  I've never heard of SecureAge or Trapmine 
>> (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well 
>> educated in the > anti-malware space, so if it were me, I'd just 
>> ignore those false > positives and pay attention to the credible AV 
>> software results (and the > Community Score).
>>
>> You may have thought you were joking, but...
>>
>> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 
>>
>>
>> This is not just *a* minesweeper game, it is *the* minesweeper game
>> from Window XP.
>
> LOL!  You're right, I'd never heard about that, and was just using 
> Minesweeper as an obviously safe example program.  And whaddaya know, 
> it's SecureAge and Trapmine (oy!) that "flag" it.  I guess the lesson 
> is to always ignore SecureAge and Trapmine results on VirusTotal, and 
> the OP should suggest VirusTotal drop those two from their AV software 
> suite.
>
> Thanks for the amusing link, Oskar.

Amusing, indeed.

This was less amusing: After I released this file Dec 30, 2018, it 
scored 7/67 and then 13/70 a few hours later, including well-known AV 
vendors:
https://www.virustotal.com/gui/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe
After FP reports to several vendors, it slowly dropped down to 1-2 
detections until March 2019.

Experience since then suggests that some noise of ~2 detections from not 
well-known AV is normal.