Mail Archives: cygwin/2012/04/23/07:05:40

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2012/04/23/07:05:40

X-Recipient: archive-cygwin AT delorie DOT com

X-SWARE-Spam-Status: No, hits=2.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,KHOP_THREADED

X-Spam-Check-By: sourceware.org

Date: Mon, 23 Apr 2012 14:52:23 +0400

From: Andrey Repin <anrdaemon AT freemail DOT ru>

Reply-To: Andrey Repin <cygwin AT cygwin DOT com>

Message-ID: <2610076794.20120423145223@mtu-net.ru>

To: "Watts, Simon (UK)" <SWATTS AT ngms DOT eu DOT com>, cygwin AT cygwin DOT com

Subject: Re: VIRUS: XWin.exe 1.12.0-4 "Bloodhound.Sonar.9"

In-Reply-To: <D466D8ED2A535D448228E410781DF5E48087A89DBC@APOLLOCCR.ng.local>

References: <D466D8ED2A535D448228E410781DF5E48087A89DBC AT APOLLOCCR DOT ng DOT local>

MIME-Version: 1.0

X-IsSubscribed: yes

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

Greetings, Watts, Simon (UK)!

> Just performed a routine update to cygwin, which resulted in the updated XWin.exe being quarantined due to a virus threat.

> Details:

>         setup.exe version:      2.769
>         source:         http://cygwin.xl-mirror.nl
>         xorg-servers-common version:    1.12.0-4

> Symantec Endpoint Protection reported XWin.exe contained "Bloodhound.Sonar.9"

>         file size:      2828127
>         hash:   157814B5160244D44E469CA9829124DABA14426F3D60E6A22B52E953625CA0B2
>         category:       application heuristic
>         scan type:      SONAR
>         SONAR Risk level:       High
>         SONAR:  High

> Reverting back to 1.12.0-3 from same source does *not* show this issue.

> Could be a false positive?  But AV policy prevents me from running it.

From the report, it seems like it's AV heuristic backfired.
https://www.virustotal.com/file/157814b5160244d44e469ca9829124daba14426f3d60e6a22b52e953625ca0b2/analysis/


--
WBR,
Andrey Repin (anrdaemon AT freemail DOT ru) 23.04.2012, <14:39>

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=2.0 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,KAM_THEBAT,KHOP_THREADED
X-Spam-Check-By:	sourceware.org
Date:	Mon, 23 Apr 2012 14:52:23 +0400
From:	Andrey Repin <anrdaemon AT freemail DOT ru>
Reply-To:	Andrey Repin <cygwin AT cygwin DOT com>
Message-ID:	<2610076794.20120423145223@mtu-net.ru>
To:	"Watts, Simon (UK)" <SWATTS AT ngms DOT eu DOT com>, cygwin AT cygwin DOT com
Subject:	Re: VIRUS: XWin.exe 1.12.0-4 "Bloodhound.Sonar.9"
In-Reply-To:	<D466D8ED2A535D448228E410781DF5E48087A89DBC@APOLLOCCR.ng.local>
References:	<D466D8ED2A535D448228E410781DF5E48087A89DBC AT APOLLOCCR DOT ng DOT local>
MIME-Version:	1.0
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Unsubscribe:	<mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com