DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:subject:references:to:from:reply-to:message-id
	:date:mime-version:in-reply-to:content-type
	:content-transfer-encoding; q=dns; s=default; b=DMiBTsQKJO1oc9CX
	MC7+QCsuOQFINLdhggyBr6TSUScgUFsS5BFtleSxn0YikL5dlJeR7xvdVPAzrqyO
	ZOPNgBmoWFUm5QuNqhw8uKQO6l/BizH6phVnoNnqRie1T16NodO7XOBoW3SDYI8u
	g2OLtwZ8lQHvANFPW4//CobIfs0=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Subject: Re: Malwarebytes flags qdbusviewer-qt5.exe as Adware.Elex malware
References: <1681128500 DOT 3158335 DOT 1489943990284 DOT ref AT mail DOT yahoo DOT com> <1681128500 DOT 3158335 DOT 1489943990284 AT mail DOT yahoo DOT com> <CAOYw7dsbNGK4HiwfjRw8ixx-cMzLKe7gWh_J+ff+Z371xzJ_xw AT mail DOT gmail DOT com> <723881701 DOT 3213900 DOT 1489947507261 AT mail DOT yahoo DOT com>
To: cygwin AT cygwin DOT com
From: Brian Inglis <Brian DOT Inglis AT SystematicSw DOT ab DOT ca>
Reply-To: Brian DOT Inglis AT SystematicSw DOT ab DOT ca
Message-ID: <e6d165e3-3a5d-63ac-0c70-98db4c475ce9@SystematicSw.ab.ca>
Date: Sun, 19 Mar 2017 22:11:54 -0600
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <723881701.3213900.1489947507261@mail.yahoo.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

On 2017-03-19 12:18, Ed Koerber via cygwin wrote:
> On Sunday, March 19, 2017 12:32 PM, Ray Donnelly wrote:
>> On Sun, Mar 19, 2017 at 5:19 PM, Ed Koerber via cygwin wrote:
>>> I am using the following version of cygwin on a Windows 7 computer:
>>> $ uname -a
>>> CYGWIN_NT-6.1 e250 2.6.0(0.304/5/3) 2016-08-31 14:27 i686 Cygwin
>>> Why does Malwarebytes flag this file:
>>> C:\cygwin\usr\x86_64-w64-mingw32\sys-root\mingw\bin\qdbusviewer-qt5.exe
>>> as Adware.Elex malware?
>> Probably because virus scanners are amongst the dumbest software on earth?
>> If you were to report it to Malwarebytes as a suspected false positive
>> that would be helpful.
> It bears asking to be thorough... are we sure that the cygwin package
> has not been compromised somehow?

As long as you install Cygwin setup-x86{,64} from https://cygwin.com and 
it downloads packages from a current official mirror, you are protected 
by browser validation (only as good as your browser) of HTTPS certificates, 
GPG signature validation on the setup program and setup.ini files, and 
SHA-2 SHA-512 message digest validation of the packages and contents. 

Read the MB notes on adware e.g.
https://support.malwarebytes.com/customer/portal/articles/1834873-what-are-pup-detections-are-they-threats-and-should-they-be-deleted-?b_id=6438

"What are 'PUP' detections, are they threats and should they be deleted?

PUP detections are Potentially Unwanted Programs. 
These are programs our researchers have found are sometimes added to a 
system without the user's knowledge or approval.

In Malwarebytes Anti-Malware versions 2.0 and higher, 
PUPs are set to be quarantined by default. 
This can be confirmed in Settings > Detection and Protection > 
 Non-Malware Protection."
 ***********

This warning may be generated by generic detection of Windows code that 
may resemble similar Windows code included in some adware. If this is 
generated by a static file scan, especially of Cygwin code, rather than 
while running the software, it is most likely a false positive.

If you downloaded and installed the software yourself from a reputable 
source, with good validation, you should exclude the software.

With Cygwin you can always download the tools and source code to fairly 
easily rebuild the binary packages, and some people other than the Cygwin 
developers do, starting with the dll, apps, tools, etc. so they know all 
their code can be rebuilt from the distributed source.

You can always uninstall the package using the setup program, or whatever 
process is recommended by MB.

Alternatively you can ask MB for confirmation or reconsideration: 
https://forums.malwarebytes.com/topic/3228-please-read-before-reporting-a-false-positive/

MB search for "false positive" does not return much useful until you 
go into the Forums, and their products do not seem to have an easy way 
integrated to submit reports and samples. This to me is a yellow flag, 
as most similar products I have used make it easy to report and provide 
samples of either suspected malware or false positives, which have 
included earlier Cygwin and other Windows programs which were fine, and 
were quickly recategorized in updates to the AV product.

You may be better served by good AV and ad blocking software that is 
not in the Cygwin FAQ BLODA list: 
https://cygwin.com/faq/faq.html#faq.using.bloda

For Windows 7 you could download and install MSE Microsoft Security 
Essentials, using it with Windows Defender and Windows Firewall, 
and a good ad blocker that detects known problems and actual bad 
behaviour.

-- 
-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple