[Bug 45852] New: Avira anti-virus claims joy.cpl is a virus ( tarball version) TR/Crypt.ZPACK.Gen2
https://bugs.winehq.org/show_bug.cgi?id=45852
Bug ID: 45852 Summary: Avira anti-virus claims joy.cpl is a virus (tarball version) TR/Crypt.ZPACK.Gen2 Product: Wine Version: 3.16 Hardware: x86 OS: Mac OS X Status: UNCONFIRMED Severity: normal Priority: P2 Component: joy.cpl Assignee: wine-bugs@winehq.org Reporter: fred@clift.org
I just downloaded the portable tarball version of wine 3.16. A short time after I unpacked it Avira anti-virus claimed the joy.cpl was a trojan they have named TR/Crypt.ZPACK.Gen2.
I have no idea if this is a false positive or not. The SHA1 sum of the tarball I downloaded is:
$ sha1sum winehq-staging-3.16.pkg c248c93afa2d46934915feacbffb72c5fa3095ac winehq-staging-3.16.pkg
and the joy.cpl file:
$ sha1sum usr/lib/wine/fakedlls/joy.cpl 17a4f4cf2a1ccda9c799e5d8b862d450b24585ad lib/wine/fakedlls/joy.cpl
https://bugs.winehq.org/show_bug.cgi?id=45852
Fred fred@clift.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |fred@clift.org
https://bugs.winehq.org/show_bug.cgi?id=45852
Fabian Maurer dark.shadow4@web.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dark.shadow4@web.de
--- Comment #1 from Fabian Maurer dark.shadow4@web.de --- First, is your antivirus up to date? Second, you check on site like virustotal if other engines also claim it's dangerous. To me it sounds like a false positive, but to make sure.
https://bugs.winehq.org/show_bug.cgi?id=45852
zaplo00@mailfence.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |zaplo00@mailfence.com
--- Comment #2 from zaplo00@mailfence.com --- ZPACK is generic detection, it's often false positive.
https://bugs.winehq.org/show_bug.cgi?id=45852
--- Comment #3 from Fred fred@clift.org --- AV is up to date.
Here is the virustotal scan:
https://www.virustotal.com/#/file/25566c21ab8b095c3e67723ac7e88334c9f45d391d...
It very well could be a false-positive on their part. Are wine builds reproducible? Could someone make sure that the source on whatever machine builds the release isn't compromised and that building from that source produces the same output?
Looking at the big picture, it doesn't seem that this would be the favored point of attack if the build system were compromised by an attacker who wanted to include malware in an opensource project. I'm leaning toward 'its a safe false positive' myself, but it's probably worth a double check of the build boxes.
https://bugs.winehq.org/show_bug.cgi?id=45852
--- Comment #4 from Fred fred@clift.org --- Other similar scans:
https://virusscan.jotti.org/en-US/filescanjob/dfo5o6latq
http://r.virscan.org/language/en/report/0a7d4eb7952d0dabcab819f77900c55d
https://metadefender.opswat.com/results#!/file/ZTE4MDkxOHJ5bVcwUXMwX1FTeVZXQ...
-
wine-bugs@winehq.org