Alexpux
commented
7 years ago This is false positive detection.
Closed nanoant closed 7 years ago
Alexpux
commented
7 years ago This is false positive detection.
nanoant
commented
7 years ago @Alexpux it may be, but this effectively blocks using latest version of msys2 in my company.
So far I had to install the previous (unaffected 5.0.1-1). I bet you should really contact Symantec to see why they're detecting this new version, especially the source code is widely available.
Alexpux
commented
7 years ago Sorry, but I don't want to contact with any antivirus company. I don't have time and wishes for it. Exclude MSYS2 directory from antivirus scan if you want or try to contact yourself.
nanoant
commented
7 years ago Okay, then lets hope I will be the only one affected. And you don't get any other reports from users using both MSYS2 and Symantec Endpoint Protection.
Alexpux
commented
7 years ago My Kaspersky antivirus don't allert on it. Just checked.
Alexpux
commented
7 years ago For future, I will not solve such problems from any user. There are a lot of false positive results on many files with different antiviruses. If you think that all will be clear then rebuild package yourself and try to check with your antivirus again
nanoant
commented
7 years ago @Alexpux First of all, I didn't claim there's a virus in your package or there is anything wrong with it. I really respect your work.
I just said that Symantec "Proactive" Threat Protection is detecting it as a threat for some reason, and wanted to let you know. I can just suspect this is due lots of network communication done by pacman during update. Yet previous version was not detected/affected, and also it is this "Proactive" protection not a Virus Protection (signature based) that is blaming pacman.
Maybe if MSYS2 files were signed or something, then Symantec may bug off. Anyway I can try to contact them asking why they're just making this false positives.
mingwandroid
commented
7 years ago MSYS2 packages are signed, but not in a way that virus scanners care about.
If removing this false positive matters to you then but all means go ahead and report it. The problem is, the heuristics these things use are braindead, and the whitelist methods to work around the heuristics (sha1 checksums usually) make them altogether inappropriate for rolling open source software distributions.
I agree with the article linked to here and many of the comments on it: https://news.ycombinator.com/item?id=13489100
nanoant
commented
7 years ago @Alexpux I tried to recompile it today with MSYS2-packages/pacman and makepkg -s but I reached some fancy errors and cannot really proceed:
In file included from diskspace.c:46:0:
diskspace.h:56:14: error: expected specifier-qualifier-list before ‘fsp’
FSSTATSTYPE fsp;
^
diskspace.c: In function ‘calculate_removed_size’:
diskspace.c:273:33: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
remove_size = (st.st_size + mp->fsp.f_bsize - 1) / mp->fsp.f_bsize;
^
diskspace.c:273:56: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
remove_size = (st.st_size + mp->fsp.f_bsize - 1) / mp->fsp.f_bsize;
^
diskspace.c: In function ‘calculate_installed_size’:
diskspace.c:332:34: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
install_size = (file->size + mp->fsp.f_bsize - 1) / mp->fsp.f_bsize;
^
diskspace.c:332:57: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
install_size = (file->size + mp->fsp.f_bsize - 1) / mp->fsp.f_bsize;
^
diskspace.c: In function ‘check_mountpoint’:
diskspace.c:343:25: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
fsblkcnt_t fivepc = (mp->fsp.f_blocks / 20) + 1;
^
diskspace.c:344:46: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
fsblkcnt_t twentymb = (20 * 1024 * 1024 / mp->fsp.f_bsize) + 1;
^
diskspace.c:351:37: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
(uintmax_t)cushion, (uintmax_t)mp->fsp.f_bfree);
^
diskspace.c:352:43: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
if(needed >= 0 && (fsblkcnt_t)needed > mp->fsp.f_bfree) {
^
diskspace.c:355:51: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
mp->mount_dir, (intmax_t)needed, (uintmax_t)mp->fsp.f_bfree);
^
diskspace.c: In function ‘_alpm_check_downloadspace’:
diskspace.c:403:65: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
cachedir_mp->max_blocks_needed += (file_sizes[j] + cachedir_mp->fsp.f_bsize + 1) /
^
diskspace.c:404:15: error: ‘alpm_mountpoint_t {aka struct __alpm_mountpoint_t}’ has no member named ‘fsp’
cachedir_mp->fsp.f_bsize;Can you provide me a hint where I can find some instruction how to properly set an environment for reconfiguring msys2 packages?
nanoant
commented
7 years ago Just managed to recompile everything and reproduce this. So FYI it is clearly Symantec fault blaming pacman for misbehavior that's actually intended by the user (me).
thepartisan
commented
7 years ago Fyi, whitelisting application has been filed with Symantec.
niklasholm
commented
6 years ago Symantec's SONAR basically mistrusts any binary that is new and uncommon. It's a pita.
mingwandroid
commented
6 years ago Most anti-virus can be more accurately described as anti-software or anti-computing IMHO!
Hello Alexey, I don't know what is the reason, but I have today updated my MSYS2 installation with
Can you please confirm that (1) file is safe (2) contact Symantec via:
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2016-111608-2646-99
if the file is safe or provide some workaround / recompile package.
pacman -Syuand it upgraded pacman, then immediately it was detected as a potential threat by Symantec Endpoint Protection