You are not logged in.

#1 2020-08-02 17:55:53

rub3n
Member
Registered: 2020-08-02
Posts: 4

[SOLVED] wine detected as malware by several AVs

After upgrading wine, Sophos detects the files

/usr/lib32/wine/msidb.exe
/usr/lib32/wine/netstat.exe
/usr/lib32/wine/whoami.exe

as "Mal/FakeAV-CS" (some code for scareware I guess?)

Does anyone or know what is going on?

root@pc:/usr/lib32/wine#  savscan .
SAVScan virus detection utility
Version 5.74.0 [Linux/AMD64]
Virus data version 5.76, June 2020
Includes detection for 51918200 viruses, Trojans and worms
Copyright (c) 1989-2020 Sophos Limited. All rights reserved.

System time 20:22:55, System date 02 August 2020

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file steal-yj.ide
...

Quick Scanning

>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/msidb.exe
>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/whoami.exe
>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/netstat.exe
root@pc:/usr/lib32/wine#  pacman -F msidb.exe
multilib-testing/wine 5.14-2 [installed]
    usr/lib/wine/msidb.exe
    usr/lib32/wine/msidb.exe
multilib-testing/wine-staging 5.14-2
    usr/lib/wine/msidb.exe
    usr/lib32/wine/msidb.exe
multilib/wine 5.14-1 [installed: 5.14-2]
    usr/lib/wine/fakedlls/msidb.exe
    usr/lib32/wine/fakedlls/msidb.exe
multilib/wine-staging 5.14-1
    usr/lib/wine/fakedlls/msidb.exe
    usr/lib32/wine/fakedlls/msidb.exe

Last edited by rub3n (2020-08-03 20:54:05)

Offline

#2 2020-08-02 23:49:05

mpan
Member
Registered: 2012-08-01
Posts: 851
Website

Re: [SOLVED] wine detected as malware by several AVs

EDIT: since a wrong file has been checked by me, the following content is irrelevant.

Is the SHA-256 checksum of “/usr/lib/wine/msidb.exe” equal to 97492b55010237cb1b982fee94191b086d0d13abba6ff77b2b28e63659d6acaf? If yes, it seems like a false positive. VirusTotal msidb.exe score is 1/72. Latest ClamAV is not classifying it as a threat either.

Last edited by mpan (2020-08-03 15:11:18)


Sometimes I seem a bit harsh — don’t get offended too easily! PGP: 7C848198AE93D3BB

Offline

#3 2020-08-03 11:20:10

rub3n
Member
Registered: 2020-08-02
Posts: 4

Re: [SOLVED] wine detected as malware by several AVs

The checksum checks out. Howerver the file Sophos complains about is /usr/lib32/wine/msidb.exe

root@pc:~# sha256sum /usr/lib32/wine/msidb.exe /usr/lib/wine/msidb.exe
baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b  /usr/lib32/wine/msidb.exe
97492b55010237cb1b982fee94191b086d0d13abba6ff77b2b28e63659d6acaf  /usr/lib/wine/msidb.exe

The lib32 - file has a VirusTotal score of 14/72

Offline

#4 2020-08-03 15:25:44

mpan
Member
Registered: 2012-08-01
Posts: 851
Website

Re: [SOLVED] wine detected as malware by several AVs

Open a bug report for that, giving the hash and the info about VirusTotal results. Just give it a better title than the one of this thread.

80% this is a false positive, but nonetheless it should be addressed if possible.

Last edited by mpan (2020-08-03 15:58:51)


Sometimes I seem a bit harsh — don’t get offended too easily! PGP: 7C848198AE93D3BB

Offline

#5 2020-08-03 16:28:46

rub3n
Member
Registered: 2020-08-02
Posts: 4

Re: [SOLVED] wine detected as malware by several AVs

Ok, i filed a bug report for this. Is "wine detected as malware by several VirusTotal scanners" a reasonable title?

Offline

#6 2020-08-03 19:20:03

loqs
Member
Registered: 2014-03-06
Posts: 14,913

Re: [SOLVED] wine detected as malware by several AVs

Offline

Board footer

Powered by FluxBB