VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.28k stars 1.45k forks source link

The file /tests/data/pe_mingw is detected as malware by Windows Defender and several other vendors #1655

Open germanlancioni opened 2 years ago

germanlancioni commented 2 years ago

I'm wondering if this is a false positive or something malicious indeed went into this file recently (last modif: Sept 17 2021). When downloading previous versions of Yara, there were no malware detections. However, when downloading the latest release candidate (or cloning the repository), the file "pe_mingw" is detected as malware by either Microsoft Windows Defender or other cybersecurity vendors.

Tested with: YARA v4.2.0-rc1 and by cloning the repository as of today Feb 24, 2022.

plusvic commented 2 years ago

pe_mingw is a simple "Hello world!" program that does nothing, but it seems that some antiviruses decided to detect it for some reason. This file was added relatively recently as data for test cases.

germanlancioni commented 2 years ago

Thanks, I imagined that's the case. However, I'm thinking that even if it's a false positive, is somehow harming the "adoption" of Yara. If you try to clone or download the repo, you get stopped by Defender or others, which is likely to steer people away from the library. I tried to figure out why it's detected but a diff is hard to follow given it's binary data. We know that the file only started to get detected since the last update on Sept 17 2021 (\N separators added?).

Is there something we can do to revert it back to "not being detected", assuming we are 100% sure this is not malware?

plusvic commented 2 years ago

I'm afraid the only options here are creating a new file that can be used with the test case (and hope that this time antiviruses don't detect it) or removing the test case altogether.