Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Domains?

evanit wrote:

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?

No idea where they took that from. WinSCP nor its installer do not refer any of those. Maybe they mean that winscp.net site links those. It does for sure link Facebook. Sites like Walmart can possibly be linked in advertisement.
evanit

Domains?

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?
Sam94105

VirusTotal BKAV reported latest version WinSCP-5.13.4-Setup.exe to have W32.HfsIemusi maleware!

Are these false positives or are there actually malware in your software?
martin

Re: VirusTotal detection

OK, we will consider that.
sparx

Re: VirusTotal detection

Yes you are quite right, and I apologize for making too much of this.
The malicious indicators are much less relevant in the context of an installer, and the specifics details mostly are clear enough to show nothing odd is going on within that context. Remote

I was just plain mistaken about multiple AV hits. The extra hits are for the history of the teamforge.net server, which of course has hosted other code by many people.

The sum of many installation techniques that are individually no problem, combined with the server hit, is what appears to have caused the 100% confidence level of the automated analysis.

Shallow automated analysis is still an important first line of defense for those of us who need to manage thousands of packages. It would be helpful to have a FAQ explaining behavioral hits that are likely from third-party scanners. I’d be willing to contribute to that, with better vetting of my own statements before bugging you.
martin

Re: VirusTotal detection

sparx wrote:

I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86

Thanks for your post.
What "real-world red flags" are you referring to?
Out of that report, only "Writes data to a remote process" is something, I do not have an explanation for. And only because that flag is too vague to me.
The rest is just a common behavior of an installer.
martin

Re: VirusTotal detection

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

sorry, but we cannot answer why one particular antivirus software decided to mark WinSCP as a virus. But you can see yourself, that it just 1 AV out of 67. It happens from time to time, as you can see above and at:
https://winscp.net/tracker/530
sparx

Re: VirusTotal detection

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?


I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
AlinaBP

VirusTotal detection

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?
tpmoore56

WinSCP v5.13.3 Setup Contained a Virus

I'm running WinSCP v5.13.2 and when I launched it today I received a pop-up asking if I wanted to update to v5.13.3 so I clicked yes to upgrade. I downloaded the exe and my McAfee Anti-virus popped the message "WinSCP-5.13.3-Setup.exe contained a virus and was deleted." (see attachment) Please advise.