Mail Archives: cygwin/2009/11/13/20:50:23

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2009/11/13/20:50:23

X-Recipient: archive-cygwin AT delorie DOT com

X-SWARE-Spam-Status: No, hits=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS

X-Spam-Check-By: sourceware.org

Message-ID: <4AFE1071.5000706@gmail.com>

Date: Sat, 14 Nov 2009 02:05:37 +0000

From: Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>

User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Re: Cygrunsrv behaviour triggers Anti-Virus Program

References: <hdkapr$skt$1 AT ger DOT gmane DOT org> <416096c60911131218q4abb103ew3821a248d6e6015c AT mail DOT gmail DOT com>

In-Reply-To: <416096c60911131218q4abb103ew3821a248d6e6015c@mail.gmail.com>

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Andy Koppe wrote:
> 2009/11/13 Jacob Jacobson:
>> Output of Kaspersky Anti-Virus 6.0
>>
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Process is trying to
>> inject into another process. This behavior is typical of some malicious
>> programs (Invader)
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE "Quarantine" action
>> is selected
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Forced to terminate
>> the process.
>> 11/13/2009 1:03:09 PM   C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE File quarantined.
>>
>> Output of Kaspersky Anti-Virus 6.0
> 
> Send that to Kaspersky. Cygwin isn't gonna be changed to work around
> that sort of crap.

  BLODA in full effect.  It is designed to stop you running anything that
behaves like forking, just in case what you were running wasn't meant to be
doing that; therefore it is a crude and indiscriminate filter and must
inevitably suffer false positives.

  The problem is that there's no easy way for a simple-minded computer program
to tell the difference between "suspicious process injecting itself into
another", and "legitimate user-directed application attempting to emulate
posix fork semantics".  It is unfortunate, but a lot of the things that Cygwin
*has* to do are exactly like a lot of the things that some viruses do; hence
we run up against the limits of heuristic behaviour blockers.

    cheers,
      DaveK

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-2.5 required=5.0 tests=AWL,BAYES_00,SPF_PASS
X-Spam-Check-By:	sourceware.org
Message-ID:	<4AFE1071.5000706@gmail.com>
Date:	Sat, 14 Nov 2009 02:05:37 +0000
From:	Dave Korn <dave DOT korn DOT cygwin AT googlemail DOT com>
User-Agent:	Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: Cygrunsrv behaviour triggers Anti-Virus Program
References:	<hdkapr$skt$1 AT ger DOT gmane DOT org> <416096c60911131218q4abb103ew3821a248d6e6015c AT mail DOT gmail DOT com>
In-Reply-To:	<416096c60911131218q4abb103ew3821a248d6e6015c@mail.gmail.com>
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com