WinSCP v5.13.3 Setup Contained a Virus

I'm running WinSCP v5.13.2 and when I launched it today I received a pop-up asking if I wanted to update to v5.13.3 so I clicked yes to upgrade. I downloaded the exe and my McAfee Anti-virus popped the message "WinSCP-5.13.3-Setup.exe contained a virus and was deleted." (see attachment) Please advise.

Thanks for your report.
It might have been a temporary false positive on McAfee side.
Now McAfee seems to correctly identify WinSCP-5.13.3-Setup.exe as Clean:
https://www.virustotal.com/gui/file/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86

I've recorded your report: https://winscp.net/tracker/530

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86

AlinaBP wrote:

VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?

sorry, but we cannot answer why one particular antivirus software decided to mark WinSCP as a virus. But you can see yourself, that it just 1 AV out of 67. It happens from time to time, as you can see above and at:
https://winscp.net/tracker/530

sparx wrote:

I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.

https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86

Thanks for your post.
What "real-world red flags" are you referring to?
Out of that report, only "Writes data to a remote process" is something, I do not have an explanation for. And only because that flag is too vague to me.
The rest is just a common behavior of an installer.

Yes you are quite right, and I apologize for making too much of this.
The malicious indicators are much less relevant in the context of an installer, and the specifics details mostly are clear enough to show nothing odd is going on within that context. Remote

I was just plain mistaken about multiple AV hits. The extra hits are for the history of the teamforge.net server, which of course has hosted other code by many people.

The sum of many installation techniques that are individually no problem, combined with the server hit, is what appears to have caused the 100% confidence level of the automated analysis.

Shallow automated analysis is still an important first line of defense for those of us who need to manage thousands of packages. It would be helpful to have a FAQ explaining behavioral hits that are likely from third-party scanners. I’d be willing to contribute to that, with better vetting of my own statements before bugging you.

OK, we will consider that.

Are these false positives or are there actually malware in your software?

Sam94105 wrote:

Are these false positives or are there actually malware in your software?

It's only one (and minor one) AV out of 67 that claims a problem:
https://www.virustotal.com/gui/file/e0f90a21dbdf8a01b7e954ac93c4ef8e0d43c5b1adc36b386b422e3f38d8d14a
That's not even worthy consideration, imo.

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?

evanit wrote:

Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).

Is the installer actually reaching out to those?

No idea where they took that from. WinSCP nor its installer do not refer any of those. Maybe they mean that winscp.net site links those. It does for sure link Facebook. Sites like Walmart can possibly be linked in advertisement.