X-Recipient: archive-cygwin AT delorie DOT com
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7401F38330A1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cygwin.com;
	s=default; t=1670611798;
	bh=YR+gJewk1tQL6fs7ce4xUFe2ewWc3AKwP/iM3DPNmnE=;
	h=Subject:To:References:Date:In-Reply-To:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=KYEQU7OFrQVq2ao07vSF+GzOeFpwhlMD52qurhh4dO/XvVoNe5EhGajIxZa31RE+V
	 r9Ow09b6JaFNDW5gACKJcmJLOJP0Fy92QfbgtHFxTR3rn/U3kq6N67e96VYfA6zKdh
	 0J932PG7bTwvQy4YOWFQxqrWkuaLUCgT+2BS6Xco=
X-Original-To: cygwin AT cygwin DOT com
Delivered-To: cygwin AT cygwin DOT com
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 6C6E23836D16
Subject: Re: Cygwin setup reporter as malware
To: cygwin AT cygwin DOT com
References: <AS8PR07MB714100AE9CFC6D5AAEE34179D91A9 AT AS8PR07MB7141 DOT eurprd07 DOT prod DOT outlook DOT com>
 <14e7843a-5829-2c74-313b-13d08b37243e AT harkless DOT org>
 <6e721522-7e4a-d0d9-f928-4bc6e1b34f3f AT oskog97 DOT com>
 <65ad5397-2de1-87e1-d747-bcb1b4fc6e70 AT harkless DOT org>
Message-ID: <7b5543d1-7fe6-64c5-ad48-72ffff48cdd7@t-online.de>
Date: Fri, 9 Dec 2022 19:49:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101
 SeaMonkey/2.53.14
MIME-Version: 1.0
In-Reply-To: <65ad5397-2de1-87e1-d747-bcb1b4fc6e70@harkless.org>
X-TOI-EXPURGATEID: 150726::1670611753-6BFFB9DD-892535C6/0/0 CLEAN NORMAL
X-TOI-MSGID: 035ffb32-33ad-474f-b42a-03d22c119aef
X-Spam-Status: No, score=-3.2 required=5.0 tests=BAYES_00, FREEMAIL_FROM,
 KAM_DMARC_STATUS, KAM_LAZY_DOMAIN_SECURITY, NICE_REPLY_A, RCVD_IN_DNSWL_NONE,
 RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE,
 TXREP autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: cygwin AT cygwin DOT com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: General Cygwin discussions and problem reports <cygwin.cygwin.com>
List-Unsubscribe: <https://cygwin.com/mailman/options/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=unsubscribe>
List-Archive: <https://cygwin.com/pipermail/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-request AT cygwin DOT com?subject=help>
List-Subscribe: <https://cygwin.com/mailman/listinfo/cygwin>,
 <mailto:cygwin-request AT cygwin DOT com?subject=subscribe>
From: Christian Franke via Cygwin <cygwin AT cygwin DOT com>
Reply-To: Christian Franke <Christian DOT Franke AT t-online DOT de>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com
Sender: "Cygwin" <cygwin-bounces+archive-cygwin=delorie DOT com AT cygwin DOT com>
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from base64 to 8bit by delorie.com id 2B9IoOA2006927

Dan Harkless via Cygwin wrote:
> On 12/9/2022 3:39 AM, Oskar Skog via Cygwin wrote:
>> On 2022-12-07 23:54, Dan Harkless via Cygwin wrote:
>>
>> > No.  It's normal and common for software like Cygwin, which has the 
>> > power to be used maliciously (as opposed to, say, a Minesweeper 
>> game or > something), to have false positives on VirusTotal for a 
>> handful of > vendors.  I've never heard of SecureAge or Trapmine 
>> (hmm, maybe it > *would* flag Minesweeper...), and I'm pretty well 
>> educated in the > anti-malware space, so if it were me, I'd just 
>> ignore those false > positives and pay attention to the credible AV 
>> software results (and the > Community Score).
>>
>> You may have thought you were joking, but...
>>
>> https://www.virustotal.com/gui/file/bcff89311d792f6428468e813ac6929a346a979f907071c302f418d128eaaf41 
>>
>>
>> This is not just *a* minesweeper game, it is *the* minesweeper game
>> from Window XP.
>
> LOL!  You're right, I'd never heard about that, and was just using 
> Minesweeper as an obviously safe example program.  And whaddaya know, 
> it's SecureAge and Trapmine (oy!) that "flag" it.  I guess the lesson 
> is to always ignore SecureAge and Trapmine results on VirusTotal, and 
> the OP should suggest VirusTotal drop those two from their AV software 
> suite.
>
> Thanks for the amusing link, Oskar.

Amusing, indeed.

This was less amusing: After I released this file Dec 30, 2018, it 
scored 7/67 and then 13/70 a few hours later, including well-known AV 
vendors:
https://www.virustotal.com/gui/file/bf0416c2e214c6323fdf1af8b853f761c846760f02950453c8a5bb276c961fbe
After FP reports to several vendors, it slowly dropped down to 1-2 
detections until March 2019.

Experience since then suggests that some noise of ~2 detections from not 
well-known AV is normal.


-- 
Problem reports:      https://cygwin.com/problems.html
FAQ:                  https://cygwin.com/faq/
Documentation:        https://cygwin.com/docs.html
Unsubscribe info:     https://cygwin.com/ml/#unsubscribe-simple