https://bugs.winehq.org/show_bug.cgi?id=44057
Bug ID: 44057 Summary: Gen:Adware.Heur.aq4@1meDUAh found in msctfp.dll Product: Wine-staging Version: 2.21 Hardware: Other OS: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: jghodd@gmail.com CC: erich.e.hoover@wine-staging.com, michael@fds-team.de, sebastian@fds-team.de Distribution: ---
Bitdefender is reporting an adware infection in the 32-bit version of msctfp.dll:
Object '/home/jghodd/Downloads/wine-staging2/usr/lib/wine/fakedlls/msctfp.dll' is infected with 'Gen:Adware.Heur.aq4@1meDUAh' Object '/home/jghodd/Downloads/wine-staging2/wine-staging-2.21-1-i686.pkg.tar.xz=>(xz stream)=>usr/lib/wine/fakedlls/msctfp.dll' is infected with 'Gen:Adware.Heur.aq4@1meDUAh'
I also checked v2.15, v2.19 and v2.20 and all 4 versions produce this error when scanned by bitdefender.
I built out 2.20 and 2.21 myself (2.19 was an arch linux build) and have checked the source code - I'm not seeing anything suspicious so I suspect it's a false positive, but sourceforge.net uses bitdefender to check all files on its site and my distro's repositories are located on sourceforge. This is a problem, because sourceforge is blacklisting this package.
I can probably convince sourceforge to whitelist the package, but this will continue to be an ongoing issue when newer versions are uploaded to the site.
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #1 from Sebastian Lackner sebastian@fds-team.de --- These are indeed false positives, and I also tried to contact Bitdefender about it in the past. I just submitted another false positive report at https://www.bitdefender.com/submit. Hopefully they will be able to fix their detection.
It might also be possible to "obfuscate" the Wine code to avoid the detection, but it will probably then cause trouble with the next anti virus program. Unfortunately such heuristics are terribly unreliable...
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #2 from jghodd jghodd@gmail.com --- Thanks for the info, Sebastian. I'll note your confirmation that this is a false positive when I open a support ticket with sourceforge to whitelist the file.
https://bugs.winehq.org/show_bug.cgi?id=44057
Zebediah Figura z.figura12@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |z.figura12@gmail.com
--- Comment #3 from Zebediah Figura z.figura12@gmail.com --- Out of curiosity, do we know what the reason for the false positive is?
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #4 from jghodd jghodd@gmail.com --- I'd suggest maybe one of the GUIDs, but I'm not getting the false positive on the 64-bit build, only the 32-bit. I'm guessing it would have to be a binary pattern, but what are the chances this exact pattern shows up randomly in at least 4 builds performed in at least 2 different environments. It has to be a *defined* pattern that only occurs in 32-bit builds. Perhaps it is a GUID, but the 32-bit representation happens to match the malware signature.
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #5 from jghodd jghodd@gmail.com --- Of course, data alignment is different between 32-bit and 64-bit compiler/linker output. One could match the malware signature while the other does not.
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #6 from jghodd jghodd@gmail.com --- Created attachment 59765 --> https://bugs.winehq.org/attachment.cgi?id=59765 msctfp.dll.fake
This is the only file in the build directory tree that pops positive for malware.
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #7 from jghodd jghodd@gmail.com --- The easiest place to start is probably with msctfp.dll.fake which is the only file in the build directory that pops positive:
Object '/home/jghodd/Downloads/wine-staging2/src/wine-staging-32-build/dlls/msctfp/msctfp.dll.fake' is infected with 'Gen:Adware.Heur.aq4@1meDUAh'
This file has a block of binary at the top of the file and the rest of the file is text. The text looks like this:
NoRemove Interface { '{101D6610-0990-11D3-8DF0-00105A2799B5}' = s 'ITfFunctionProvider' { NumMethods = s 6 ProxyStubClsid32 = s '{B5F8FB3B-393F-4F7C-84CB-504924C2705A}' } '{E4B24DB0-0990-11D3-8DF0-00105A2799B5}' = s 'IEnumTfFunctionProviders' { NumMethods = s 7 ProxyStubClsid32 = s '{B5F8FB3B-393F-4F7C-84CB-504924C2705A}' } .......
None of the object files nor the msctfp.so.dll file pop positive. Just this one. I'll attach it.
https://bugs.winehq.org/show_bug.cgi?id=44057
--- Comment #8 from jghodd jghodd@gmail.com --- Does anyone know how to get the signature for Gen:Adware.Heur.aq4@1meDUAh?
-
wine-bugs@winehq.org