Public bug reported: Some of my users use Windows 10 and run 20.04 LTS (Focal Fossa) in WSL.
We use jq a lot. Last week users reported that jq was not working / missing and they were unable to reinstall with apt. Users having installed Ubuntu on bare metal or using it in a VM were not affected, only the WSL crowd. Windows Defender logs showed that it has quarantined /usr/bin/jq as Trojan:Win32/Casdet!rfn I compared the sha256sum from affected systems to a fresh install of jq from the Ubuntu repo. It is bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd on all systems so I believe that it had not been altered or come from another repo. We reported it to Microsoft and they agreed it was a false positive and they would update definitions. A few days later the issue reoccurred. This time Microsoft classify it as Trojan:Linux/CoinMiner.N!MTB We contacted them again to report it as a false positive but this time they close our submission and say that the detection of /usr/bin/jq as Trojan:Linux/CoinMiner.N!MTB is valid and will not be changed. Meanwhile other AV engines also jumped onto the bandwagon. It was just 4or 5 a few days ago now it is up to 15, including ClamAV. https://www.virustotal.com/gui/file/bcfa215dec8fe15d4265c508c39c1ebafb7370acc95721e4e7d610b0459eb8dd/detection There is an issue open on jq's GitHub about it too: https://github.com/stedolan/jq/issues/2175 I see one security firm claimed that jq is an IOC for a crypto mining worm: https://www.rewterz.com/rewterz-news/rewterz-threat-alert-cryptomining-worms-steals-aws-credentials None of our systems show indications of compromise, worm activity or anything. I maintain that this seems to be a false positive. What can we do ? lsb_release -rd Description: Ubuntu 20.04 LTS Release: 20.04 apt-cache policy jq jq: Installed: 1.6-1 Candidate: 1.6-1 Version table: *** 1.6-1 500 500 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages 100 /var/lib/dpkg/status ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: jq 1.6-1 ProcVersionSignature: Ubuntu 5.4.0-29.33-generic 5.4.30 Uname: Linux 5.4.0-29-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.6 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: ubuntu:GNOME Date: Tue Aug 25 17:26:40 2020 InstallationDate: Installed on 2019-05-01 (481 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) SourcePackage: jq UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: jq (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892843 Title: /usr/bin/jq suddenly flagged as malware on many AV engines To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jq/+bug/1892843/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
