X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; q=dns; s=default; b=MY
	u9FYTNo4un/8unTFS6HO2465H/FHOlNNbHGOy8fRxRGttMRbbHIVxoqOe6gU8je7
	FY5UE5sAw5Q+x5lXCOnLVrPb6vrxskP8SX6ze53VPFaIROB2UIElwvvuaZDn/8Dr
	PdUb/bgvTUbcXIFh83VarCST/WFXLQZG5730ZRRI8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:mime-version:in-reply-to:references:date
	:message-id:subject:from:to:content-type; s=default; bh=E5dk99/L
	8FW+S5bxGF84k5Ox+40=; b=rMmBKfMpTVUM/EHnCq1P1o7nX2rcMOxCtaboqHgn
	RzQyOhEYSVRU4dizoConLsIP5rgzgE/cuMd7RuwuQq5tKEcJE6/Zgqt3KC+jiqnh
	MA91rF7jbW/8FtMkmj6qJX5gzCfjM/ACB4u90C7bnYDBHyNG9ljl3ya1Ar2BcfKZ
	DHY=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=0.2 required=5.0 tests=AWL,BAYES_50,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 spammy=UD:au, Desktop, 2fcygwin, AVG
X-HELO: mail-lf0-f46.google.com
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20130820;        h=x-gm-message-state:mime-version:sender:in-reply-to:references:date         :message-id:subject:from:to;        bh=Yyj3cFHPJ5UqPSjFCd8520dTTxJ1SRiUmbip7y6+xNE=;        b=AtDbqHsbTRieAEPJu5HP00VzzLKrSu7Jq/hVPwsu7wN13Gqz7znyggIhJLisyw4uq+         76BrD7pyx2FTNBOyKnfmDIWMJ9ZuibNAMh5Ypeim5NraiiLiIsfcfHPMGndlIUbXcXQw         K5rLLgF0DkJpfkQ7rSRnLqrIYoekBuov+HoA69/EDeZKJNdjtMYvs/VVPkDUz1LtW1uu         QafI9KEz8093HPqJSryjUzPM1femfMFkev6OGODm1wybQka0uprcczTA36UmK52sS35C         51978TT+E3jkyyiX/Umwb2fpjEBfGfrz4Q45w3bNYyK2LWDHrSfGMHzF9qK76OY3jF5X         YeGA==
X-Gm-Message-State: AD7BkJJ4yELxsXa10e/wYxDyDTblkZ2j1YEdahfotunwl/f3k/cXIZiOe08K23B94uTaD4VsvxvktDoEfITasA==
MIME-Version: 1.0
X-Received: by 10.25.166.140 with SMTP id p134mr2092553lfe.29.1458173670603; Wed, 16 Mar 2016 17:14:30 -0700 (PDT)
In-Reply-To: <412824260.1534094.1458171873522.JavaMail.yahoo@mail.yahoo.com>
References: <412824260 DOT 1534094 DOT 1458171873522 DOT JavaMail DOT yahoo DOT ref AT mail DOT yahoo DOT com>	<412824260 DOT 1534094 DOT 1458171873522 DOT JavaMail DOT yahoo AT mail DOT yahoo DOT com>
Date: Wed, 16 Mar 2016 20:14:30 -0400
Message-ID: <CACoZoo2wZ6+moQ=-96SbqS-5zY-UkpKeeSYPvhG7me+sgzcbTw@mail.gmail.com>
Subject: Re: AVG scan found WIN-HEUR virus in cygwin install from aarnet ftp
From: Erik Soderquist <ErikSoderquist AT gmail DOT com>
To: "Justin S." <juszza AT yahoo DOT com>, cygwin AT cygwin DOT com
Content-Type: text/plain; charset=UTF-8
X-IsSubscribed: yes

On Wed, Mar 16, 2016 at 7:44 PM, Justin S. wrote:
>   AVG anti-virus reported it found a virus in a Cygwin install pulled from aarnet on 8 Jan 2014.
>
> "";"Virus found Win32/Heur, C:\Users\justin\Desktop\ftp%3a%2f%2fmirror.aarnet.edu.au%2fpub%2fsourceware%2fcygwin%2f\x86\release\cygwin\cygwin-debuginfo\cygwin-debuginfo-1.7.27-2.tar.xz";"Secured"
>
> The AVG info on the reported virus is as follows:
>
> http://www.avgthreatlabs.com/au-en/virus-and-malware-information/info/win-heur/?name=Win32/Heur&utm_source=TDPU&utm_medium=SCAN&PRTYPE=AVF
>
> I think it has been lurking there for some time. You might want to check into it to make sure nothing has sneaked in.

Most likely a false positive.  The "heur" part indicates is was
flagged by heuristic analysis rather than a known signature match.
I've had several false positives from anti-virus scanners because the
majority of Windows users simply don't do advanced computing, and so
anything that does is "unusual" at minimum.

I would start with comparing the signature of the downloaded file
against the same file downloaded from other trusted sources, and if
they match, submit to AVG as a likely false positive.  If the
signatures don't match, try to contact the mirror's maintainer and let
them know about the signature mismatch and the AV flag so they can
check their mirror.

-- Erik

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple