* Virus Total scan
@ 2023-08-22 14:12 Dom Woods - BGS
2023-08-22 14:59 ` Thomas Schweikle
2023-08-22 21:54 ` Brian Inglis
0 siblings, 2 replies; 4+ messages in thread
From: Dom Woods - BGS @ 2023-08-22 14:12 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1550 bytes --]
Hi Cygwin,
I scanned your application through Virus Total as per our company policy and noticed that the installation process calls out to a suspicious Microsoft IP 13.107.4.50, this ip has been flagged by 8 vendors as malicious, I get varying responses for what it is used for (an os updater or a file distributer) and wanted to ask what does Cygwin use it for? I can't seem to contact it with nslookup or ping it and Virus Total says that it gives a 'status 400' results so it might not be in use anymore anyway but just wanted to check.
Here is your Virus Total graph results: https://www.virustotal.com/graph/6bad4555154b3b348d1bfb633a2e9d6086aa46e36952f456a434ecef5b0010e0
Here is the scan of the IP address' results: https://www.virustotal.com/gui/url/3397a00da1c5aa448611892c12d38fee37fcd60321720a6e242cb0167e381901/detection
Kind regards,
Dom woods
This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Virus Total scan
2023-08-22 14:12 Virus Total scan Dom Woods - BGS
@ 2023-08-22 14:59 ` Thomas Schweikle
2023-08-22 17:28 ` Bill Stewart
2023-08-22 21:54 ` Brian Inglis
1 sibling, 1 reply; 4+ messages in thread
From: Thomas Schweikle @ 2023-08-22 14:59 UTC (permalink / raw)
To: cygwin
[-- Attachment #1.1.1: Type: text/plain, Size: 3152 bytes --]
It is the address of one of the distribution servers. Since this is not
"one server", but a cluster of servers, your "suspicious" server shows
only one thing: those "suspicious" flags are suspicious by themselves:
this particular server ist down since some time and only reports back a
broken html page telling "<h2>Our services aren't available right
now</h2><p>We're working to restore all services as soon as possible.
Please check back
soon.</p>06cvkZAAAAAA8FvmXFYIOTZ2TS15AJl0/RFVTMzBFREdFMDkxNwBFZGdl"
If this is enough to get flagged as "suspicious" ...
Am Di., 22.Aug..2023 um 16:12:51 schrieb Dom Woods - BGS via Cygwin:
> Hi Cygwin,
>
> I scanned your application through Virus Total as per our company policy and noticed that the installation process calls out to a suspicious Microsoft IP 13.107.4.50, this ip has been flagged by 8 vendors as malicious, I get varying responses for what it is used for (an os updater or a file distributer) and wanted to ask what does Cygwin use it for? I can't seem to contact it with nslookup or ping it and Virus Total says that it gives a 'status 400' results so it might not be in use anymore anyway but just wanted to check.
>
> Here is your Virus Total graph results: https://www.virustotal.com/graph/6bad4555154b3b348d1bfb633a2e9d6086aa46e36952f456a434ecef5b0010e0
> Here is the scan of the IP address' results: https://www.virustotal.com/gui/url/3397a00da1c5aa448611892c12d38fee37fcd60321720a6e242cb0167e381901/detection
>
>
> Kind regards,
> Dom woods
>
>
>
>
> This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses.
>
>
--
Mit freundlichen Grüssen
*i. A. Thomas Schweikle*
Endgeräte und Servicedesk | Devices and Servicedesk
—
Bundesamt für Strahlenschutz | Federal Office for Radiation Protection
Informationstechnik | Information Technology | DO 3
Ingolstädter Landstrasse 1
85764 Oberschleißheim
Tel.: +49 30 18333-2594
E-Mail: tschweikle@bfs.de <mailto:tschweikle@bfs.de>
Wenn möglich signieren und verschlüsseln Sie ihre Mail mit
GnuPG oder einem äquivalenten Produkt. Der öffentliche
Schlüssel für die Verschlüsselung ist angehängt (*.asc-Datei).
—
🌐 Besuchen <https://www.bfs.de/> Sie unsere Website und abonnieren
<https://www.bfs.de/strahlenschutzaktuell> Sie unseren 📢 Newsletter
<https://www.bfs.de/strahlenschutzaktuell>.
🔒 Informationen zum Datenschutz <https://www.bfs.de/datenschutz> gemäß
Artikel 13 DSGVO
💚 E-Mail drucken? Lieber die Umwelt schonen!
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2521 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 321 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Virus Total scan
2023-08-22 14:59 ` Thomas Schweikle
@ 2023-08-22 17:28 ` Bill Stewart
0 siblings, 0 replies; 4+ messages in thread
From: Bill Stewart @ 2023-08-22 17:28 UTC (permalink / raw)
To: cygwin
[-- Attachment #1: Type: text/plain, Size: 1097 bytes --]
On Tue, Aug 22, 2023 at 9:00 AM Thomas Schweikle wrote:
It is the address of one of the distribution servers. Since this is not
> "one server", but a cluster of servers, your "suspicious" server shows
> only one thing: those "suspicious" flags are suspicious by themselves:
>
> this particular server ist down since some time and only reports back a
> broken html page telling "<h2>Our services aren't available right
> now</h2><p>We're working to restore all services as soon as possible.
> Please check back
> soon.</p>06cvkZAAAAAA8FvmXFYIOTZ2TS15AJl0/RFVTMzBFREdFMDkxNwBFZGdl"
>
> If this is enough to get flagged as "suspicious" ...
>
Unfortunately yes, nowadays.
I have run into this same problem also because I wrote an installer for an
open source tool. Said tool makes outgoing TCP connections to servers
configured as relays. One of the IP addresses used by one of these relays
was (or is) shared with a "dangerous" service. As a result I had to disable
the relay feature in the installer as a default to (hopefully) reduce the
number false positives.
Bill
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Virus Total scan
2023-08-22 14:12 Virus Total scan Dom Woods - BGS
2023-08-22 14:59 ` Thomas Schweikle
@ 2023-08-22 21:54 ` Brian Inglis
1 sibling, 0 replies; 4+ messages in thread
From: Brian Inglis @ 2023-08-22 21:54 UTC (permalink / raw)
To: cygwin; +Cc: Dom Woods - BGS
On 2023-08-22 08:12, Dom Woods - BGS via Cygwin wrote:
> I scanned your application through Virus Total as per our company policy and
noticed that the installation process calls out to a suspicious Microsoft IP
13.107.4.50, this ip has been flagged by 8 vendors as malicious, I get varying
responses for what it is used for (an os updater or a file distributer) and
wanted to ask what does Cygwin use it for? I can't seem to contact it with
nslookup or ping it and Virus Total says that it gives a 'status 400' results so
it might not be in use anymore anyway but just wanted to check.
>
> Here is your Virus Total graph results: https://www.virustotal.com/graph/6bad4555154b3b348d1bfb633a2e9d6086aa46e36952f456a434ecef5b0010e0
> Here is the scan of the IP address' results: https://www.virustotal.com/gui/url/3397a00da1c5aa448611892c12d38fee37fcd60321720a6e242cb0167e381901/detection
Can not see VT graph without registering - please attach if relevant.
Which Cygwin application did you scan, and how did you scan it?
Cygwin has thousands of packages with many executables in each, plus thousands
of libraries which may have many DLLs, all developed or packaged by volunteers.
Did you get the application from the cygwin.com site, or install it using the
installer downloaded from the site home page URL, accessing an official Cygwin
mirror?
Any other process is entirely at your own risk and may contain malware!
It is extremely unlikely any Cygwin package attampted to access any MS address
or resources, as the newlib libc is BSD or compatible licensed, and Cygwin is
GPL or compatible licensed, so packages have to be limited in what they are
allowed to do on networks during install.
Your company may have filters intercepting library and system DLLs, and much
else on the internet, and may proxy cache downloads, which could interfere with
anything else you do.
It would be advisable to ask your network security folks about such anomalous
results.
--
Take care. Thanks, Brian Inglis Calgary, Alberta, Canada
La perfection est atteinte Perfection is achieved
non pas lorsqu'il n'y a plus rien à ajouter not when there is no more to add
mais lorsqu'il n'y a plus rien à retirer but when there is no more to cut
-- Antoine de Saint-Exupéry
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-22 21:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-22 14:12 Virus Total scan Dom Woods - BGS
2023-08-22 14:59 ` Thomas Schweikle
2023-08-22 17:28 ` Bill Stewart
2023-08-22 21:54 ` Brian Inglis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).