[SOLVED] wine detected as malware by several AVs

rub3n · 2020-08-02 17:55:53

After upgrading wine, Sophos detects the files

/usr/lib32/wine/msidb.exe
/usr/lib32/wine/netstat.exe
/usr/lib32/wine/whoami.exe

as "Mal/FakeAV-CS" (some code for scareware I guess?)

Does anyone or know what is going on?

root@pc:/usr/lib32/wine#  savscan .
SAVScan virus detection utility
Version 5.74.0 [Linux/AMD64]
Virus data version 5.76, June 2020
Includes detection for 51918200 viruses, Trojans and worms
Copyright (c) 1989-2020 Sophos Limited. All rights reserved.

System time 20:22:55, System date 02 August 2020

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file steal-yj.ide
...

Quick Scanning

>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/msidb.exe
>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/whoami.exe
>>> Virus 'Mal/FakeAV-CS' found in file /usr/lib32/wine/netstat.exe
root@pc:/usr/lib32/wine#  pacman -F msidb.exe
multilib-testing/wine 5.14-2 [installed]
    usr/lib/wine/msidb.exe
    usr/lib32/wine/msidb.exe
multilib-testing/wine-staging 5.14-2
    usr/lib/wine/msidb.exe
    usr/lib32/wine/msidb.exe
multilib/wine 5.14-1 [installed: 5.14-2]
    usr/lib/wine/fakedlls/msidb.exe
    usr/lib32/wine/fakedlls/msidb.exe
multilib/wine-staging 5.14-1
    usr/lib/wine/fakedlls/msidb.exe
    usr/lib32/wine/fakedlls/msidb.exe

Last edited by rub3n (2020-08-03 20:54:05)

mpan · 2020-08-02 23:49:05

EDIT: since a wrong file has been checked by me, the following content is irrelevant.

Is the SHA-256 checksum of “/usr/lib/wine/msidb.exe” equal to 97492b55010237cb1b982fee94191b086d0d13abba6ff77b2b28e63659d6acaf? If yes, it seems like a false positive. VirusTotal msidb.exe score is 1/72. Latest ClamAV is not classifying it as a threat either.

Last edited by mpan (2020-08-03 15:11:18)

rub3n · 2020-08-03 11:20:10

The checksum checks out. Howerver the file Sophos complains about is /usr/lib32/wine/msidb.exe

root@pc:~# sha256sum /usr/lib32/wine/msidb.exe /usr/lib/wine/msidb.exe
baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b  /usr/lib32/wine/msidb.exe
97492b55010237cb1b982fee94191b086d0d13abba6ff77b2b28e63659d6acaf  /usr/lib/wine/msidb.exe

The lib32 - file has a VirusTotal score of 14/72

mpan · 2020-08-03 15:25:44

Open a bug report for that, giving the hash and the info about VirusTotal results. Just give it a better title than the one of this thread.

80% this is a false positive, but nonetheless it should be addressed if possible.

Last edited by mpan (2020-08-03 15:58:51)

rub3n · 2020-08-03 16:28:46

Ok, i filed a bug report for this. Is "wine detected as malware by several VirusTotal scanners" a reasonable title?

loqs · 2020-08-03 19:20:03

Please submit the files as false positives submit-a-sample.
Edit:
Potential links for other products also detecting it.
https://www.adaware.com/report-false-positives
https://www.secureaplus.com/features/an … -positive/
https://www.bitdefender.com/submit/
https://help.emsisoft.com/en/1720/why-d … s-malware/
FireEye could not find a link
https://www.maxsecureantivirus.com/subm … sitive.htm
http://mailcenter.rising.com.cn/filecheck_en/
C2AE could not find a link
https://en.estsecurity.com/support/report requires using custom W32 tool
Arcabit could not find a link
Cylance could not find a link
https://www.escanav.com/en/support/subm … itives.asp
https://su.gdatasoftware.com/en/sample-submission
https://www.microsoft.com/en-us/wdsi/filesubmission

Last edited by loqs (2020-08-03 19:50:46)

Arch Linux

#1 2020-08-02 17:55:53

[SOLVED] wine detected as malware by several AVs

#2 2020-08-02 23:49:05

Re: [SOLVED] wine detected as malware by several AVs

#3 2020-08-03 11:20:10

Re: [SOLVED] wine detected as malware by several AVs

#4 2020-08-03 15:25:44

Re: [SOLVED] wine detected as malware by several AVs

#5 2020-08-03 16:28:46

Re: [SOLVED] wine detected as malware by several AVs

#6 2020-08-03 19:20:03

Re: [SOLVED] wine detected as malware by several AVs

Board footer