- tpmoore56
- Joined:
- Posts:
- 1
- Location:
- Arizona
WinSCP v5.13.3 Setup Contained a Virus
Advertisement
I'm running WinSCP v5.13.2 and when I launched it today I received a pop-up asking if I wanted to update to v5.13.3 so I clicked yes to upgrade. I downloaded the exe and my McAfee Anti-virus popped the message "WinSCP-5.13.3-Setup.exe contained a virus and was deleted." (see attachment) Please advise.
Advertisement
-
martin◆
Site Admin - Joined:
- Posts:
- 41,262
- Location:
- Prague, Czechia
Re: WinSCP v5.13.3 Setup Contained a Virus
Thanks for your report.
It might have been a temporary false positive on McAfee side.
Now McAfee seems to correctly identify
https://www.virustotal.com/gui/file/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
I've recorded your report: https://winscp.net/tracker/530
It might have been a temporary false positive on McAfee side.
Now McAfee seems to correctly identify
WinSCP-5.13.3-Setup.exe
as Clean:
https://www.virustotal.com/gui/file/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
I've recorded your report: https://winscp.net/tracker/530
-
AlinaBP
Guest
VirusTotal detection
VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?
- sparx
- Joined:
- Posts:
- 2
- Location:
- United States
Re: VirusTotal detection
VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?
I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.
https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
-
martin◆
Site Admin - Joined:
- Posts:
- 41,262
- Location:
- Prague, Czechia
Re: VirusTotal detection
sorry, but we cannot answer why one particular antivirus software decided to mark WinSCP as a virus. But you can see yourself, that it just 1 AV out of 67. It happens from time to time, as you can see above and at:VirusTotal shows one detection as W32.HfsIemusi. What is it? Hybrid analysis mentions "is-I5CV6.tmp" file as malicious. Why is this?
https://winscp.net/tracker/530
Advertisement
-
martin◆
Site Admin - Joined:
- Posts:
- 41,262
- Location:
- Prague, Czechia
Re: VirusTotal detection
Thanks for your post.I see variable malicious indicators from 32-bit and 64-bit hybrid-analysis runs, including indicators for Occamy and Sality Trojans. The primary malicious hits are for what looks like partial executables from multiple sources, which are getting reassembled. The analysis is full of real-world red flags for suspect behavior as well. It looks like some sort of delivery optimization may be pulling in malicious components. The executable itself appears almost clean except that one detection, but once the installer runs, things go off the rails with AV hits from multiple vendors.
https://www.hybrid-analysis.com/sample/58eeeb8454b8a7d194e3b58a1d6f2fb501906b8f1c3f2716a4a6d15e16164b86
What "real-world red flags" are you referring to?
Out of that report, only "Writes data to a remote process" is something, I do not have an explanation for. And only because that flag is too vague to me.
The rest is just a common behavior of an installer.
- sparx
- Joined:
- Posts:
- 2
- Location:
- United States
Re: VirusTotal detection
Yes you are quite right, and I apologize for making too much of this.
The malicious indicators are much less relevant in the context of an installer, and the specifics details mostly are clear enough to show nothing odd is going on within that context. Remote
I was just plain mistaken about multiple AV hits. The extra hits are for the history of the teamforge.net server, which of course has hosted other code by many people.
The sum of many installation techniques that are individually no problem, combined with the server hit, is what appears to have caused the 100% confidence level of the automated analysis.
Shallow automated analysis is still an important first line of defense for those of us who need to manage thousands of packages. It would be helpful to have a FAQ explaining behavioral hits that are likely from third-party scanners. I’d be willing to contribute to that, with better vetting of my own statements before bugging you.
The malicious indicators are much less relevant in the context of an installer, and the specifics details mostly are clear enough to show nothing odd is going on within that context. Remote
I was just plain mistaken about multiple AV hits. The extra hits are for the history of the teamforge.net server, which of course has hosted other code by many people.
The sum of many installation techniques that are individually no problem, combined with the server hit, is what appears to have caused the 100% confidence level of the automated analysis.
Shallow automated analysis is still an important first line of defense for those of us who need to manage thousands of packages. It would be helpful to have a FAQ explaining behavioral hits that are likely from third-party scanners. I’d be willing to contribute to that, with better vetting of my own statements before bugging you.
-
martin◆
Site Admin
Re: VirusTotal detection
OK, we will consider that.
-
Sam94105
Guest
VirusTotal BKAV reported latest version WinSCP-5.13.4-Setup.exe to have W32.HfsIemusi maleware!
Are these false positives or are there actually malware in your software?
Advertisement
-
martin◆
Site Admin - Joined:
- Posts:
- 41,262
- Location:
- Prague, Czechia
Re: VirusTotal BKAV reported latest version WinSCP-5.13.4-Setup.exe to have W32.HfsIemusi maleware!
It's only one (and minor one) AV out of 67 that claims a problem:Are these false positives or are there actually malware in your software?
https://www.virustotal.com/gui/file/e0f90a21dbdf8a01b7e954ac93c4ef8e0d43c5b1adc36b386b422e3f38d8d14a
That's not even worthy consideration, imo.
- evanit
- Joined:
- Posts:
- 1
Domains?
Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).
Is the installer actually reaching out to those?
Is the installer actually reaching out to those?
-
martin◆
Site Admin - Joined:
- Posts:
- 41,262
- Location:
- Prague, Czechia
Re: Domains?
No idea where they took that from. WinSCP nor its installer do not refer any of those. Maybe they mean that winscp.net site links those. It does for sure link Facebook. Sites like Walmart can possibly be linked in advertisement.Just curious...the Joe Sandbox Analysis test lists a bunch of domains (Facebook, Walmart, Doubleclick.net, etc.).
Is the installer actually reaching out to those?
Advertisement
You can post new topics in this forum