X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-1.9 required=5.0 	tests=AWL,BAYES_00,SARE_MSGID_LONG40,SPF_PASS
X-Spam-Check-By: sourceware.org
MIME-Version: 1.0
In-Reply-To: <4AFE1071.5000706@gmail.com>
References: <hdkapr$skt$1 AT ger DOT gmane DOT org> <416096c60911131218q4abb103ew3821a248d6e6015c AT mail DOT gmail DOT com>  	<4AFE1071 DOT 5000706 AT gmail DOT com>
From: "DePriest, Jason R." <jrdepriest AT gmail DOT com>
Date: Fri, 13 Nov 2009 22:04:52 -0600
Message-ID: <31b7d2790911132004p4e80f1fp19accd304f1f327a@mail.gmail.com>
Subject: Re: Cygrunsrv behaviour triggers Anti-Virus Program
To: cygwin AT cygwin DOT com
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On Fri, Nov 13, 2009 at 8:05 PM, Dave Korn <> wrote:
> Andy Koppe wrote:
>> 2009/11/13 Jacob Jacobson:
>>> Output of Kaspersky Anti-Virus 6.0
>>>
>>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Process is tr=
ying to
>>> inject into another process. This behavior is typical of some malicious
>>> programs (Invader)
>>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE "Quarantine" =
action
>>> is selected
>>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE Forced to ter=
minate
>>> the process.
>>> 11/13/2009 1:03:09 PM =A0 C:\WIN\CYGWIN\BIN\CYGRUNSRV.EXE File quaranti=
ned.
>>>
>>> Output of Kaspersky Anti-Virus 6.0
>>
>> Send that to Kaspersky. Cygwin isn't gonna be changed to work around
>> that sort of crap.
>
> =A0BLODA in full effect. =A0It is designed to stop you running anything t=
hat
> behaves like forking, just in case what you were running wasn't meant to =
be
> doing that; therefore it is a crude and indiscriminate filter and must
> inevitably suffer false positives.
>
> =A0The problem is that there's no easy way for a simple-minded computer p=
rogram
> to tell the difference between "suspicious process injecting itself into
> another", and "legitimate user-directed application attempting to emulate
> posix fork semantics". =A0It is unfortunate, but a lot of the things that=
 Cygwin
> *has* to do are exactly like a lot of the things that some viruses do; he=
nce
> we run up against the limits of heuristic behaviour blockers.
>
> =A0 =A0cheers,
> =A0 =A0 =A0DaveK
>
>
> --

The real question is whether or not Kaspersky will let you exclude
specific processes from this sort of inspection.  If so, just exclude
cygrunsrv.exe.

I routinely have to do this depending on what AV I am running.  Heck,
if I run the whole Comodo Security Suite, I get pages of prompts every
time I run setup.exe and it changes files around.  It's all "hey, bash
is trusted, but it is doing something it didn't do yesterday and it
has a different checksum."

Security is pain.

-Jason

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple