Re: [bug #63489] Firefox says download is malware, virus total positive results

[Joe]

Firefox is quick! This has often happened to me when unzipping the download. One file had a similar set of bytes to a known virus but as data, not an executable.JoeOn 8 Dec 2022 12:05 pm, Richard Shann  wrote:Update of bug #63489 (project denemo):

  Status:    None => Need Info  
 Open/Closed:    Open => Closed 

    ___

Follow-up Comment #1:

It is overwhelmingly likely that these are the usual false positives that
virus detectors make. (I say that because the files are generated avoiding the
use of any proprietary operating systems/software which would make an attack
extremely "niche").
Unless you can find the program misbehaving in some way there is nothing to do
- these virus detector companies are not in my experience in the business of
worrying much about false positives unless they involve popular software
backed by companies who might sue them!
You may see earlier, similar, reports - but no actual malware has ever been
reported on the executables on denemo.org



    ___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #63489] Firefox says download is malware, virus total positive results

[Richard Shann]

Update of bug #63489 (project denemo):

  Status:None => Need Info  
 Open/Closed:Open => Closed 

___

Follow-up Comment #1:

It is overwhelmingly likely that these are the usual false positives that
virus detectors make. (I say that because the files are generated avoiding the
use of any proprietary operating systems/software which would make an attack
extremely "niche").
Unless you can find the program misbehaving in some way there is nothing to do
- these virus detector companies are not in my experience in the business of
worrying much about false positives unless they involve popular software
backed by companies who might sue them!
You may see earlier, similar, reports - but no actual malware has ever been
reported on the executables on denemo.org



___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/

[bug #63489] Firefox says download is malware, virus total positive results

[anonymous]

URL:
  

 Summary: Firefox says download is malware, virus total
positive results
 Project: Denemo
   Submitter: None
   Submitted: Thu 08 Dec 2022 11:53:02 AM UTC
Category: None
Severity: 3 - Normal
  Item Group: None
  Status: None
 Privacy: Public
 Assigned to: None
 Originator Name: 
 Open/Closed: Open
 Discussion Lock: Any


___

Follow-up Comments:


---
Date: Thu 08 Dec 2022 11:53:02 AM UTC By: Anonymous
Tried downloading www.denemo.org/~rshann/Denemo2.44Installer.exe from
http://www.denemo.org/downloads-page/ 

Firefox said download is malware after download completed.

Screesnhot https://imgur.com/a/pZesCq4

I tried a virus total scan of the url - it said some vendors had detected
problems. I refreshed the scan - it all came out fine. 

I then downloaded the zip version of 2.6.
http://denemo.org/~rshann/denemo-2.6.0.zip

I extracted it, ins a sandbox, and ran denemo.bat.

I uploaded /bin/denemo.exe to virus total. The behaviour said that some file
integrity checks failed among other things.

https://www.virustotal.com/gui/file/8aad5043dcadfe3457e3f897a76ae47488f1beba7a8f778c67cfe75752412ad5/behavior


1 match for rule File deletion via CMD (via cmdline) by Ariel Millahuel from
SOC Prime Threat Detection Marketplace
Detects "cmd" utilization to self-delete files in some critical Windows
destinations. View rule View matches

1 match for rule Failed Code Integrity Checks by Thomas Patzke from Sigma
Integrated Rule Set (GitHub)
Code integrity failures may indicate tampered executables. View rule View
matches

1 match for rule Use Remove-Item to Delete File by frack113 from Sigma
Integrated Rule Set (GitHub)
Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse"


I refreshed virus total scan. Same result.
https://www.virustotal.com/gui/file/8aad5043dcadfe3457e3f897a76ae47488f1beba7a8f778c67cfe75752412ad5/behavior

I zipped the /bin folder and checked in virus total

Several vendors tagged the zip file as malicious

https://www.virustotal.com/gui/file/2a410534d394243ac4fae298ee5754a31690027377ffc0dc1ce6853406bfbae4?nocache=1









___

Reply to this item at:

  

___
Message sent via Savannah
https://savannah.gnu.org/