Install-ChocolateyZipPackage might contribute to VirusTotal false positive

[laura-rodriguez]

Checklist

• [X] I have verified this is the correct repository for opening this issue.
• [X] I have verified no other issues exist related to my problem.
• [X] I have verified this is not an issue for a specific package.
• [X] I have verified this issue is not security related.
• [X] I confirm I am using official, and not unofficial, or modified, Chocolatey products.

What You Are Seeing?

I'm currently in the process of submitting a new package, which is now under moderator review. VirusTotal reports that 1 out of 60 scanners (MaxSecure) throws a warning of malicious file "Trojan.Malware.300983.susgen", which is a false positive as we can ensure the integrity of the package.

I noticed other open-source projects also struggled with scanners' false positives, especially the MaxSecure scanner: https://github.com/getsops/sops/issues/1331 https://github.com/pypa/setuptools/issues/4063 https://www.reddit.com/r/techsupport/comments/o52rq3/trojanmalware300983susgen/

And I also understand Choco doesn't handle how anti-virus scanners work.

Having said this, are there any enhancements in the ChocoInstall script we could do to avoid false positives? It seems the usage of Install-ChocolateyZipPackage contributes to the following warning: "Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub) Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files."

Scanning zip files separately and the NuGet package don't throw any flags.

Thanks in advance!

What is Expected?

Avoid false positives that damage packages reputation.

How Did You Get This To Happen?

I submitted a brand new package and this is the scan result: https://community.chocolatey.org/packages/okta-aws-cli/1.2.2#virus

System Details

• Operating System:
• Windows PowerShell version:
• Chocolatey CLI Version:
• Chocolatey Licensed Extension version:
• Chocolatey License type:
• Terminal/Emulator:

Installed Packages

N/A

Output Log

Crowdsourced Sigma Rules
CRITICAL 0
HIGH 0
MEDIUM 1
LOW 1

Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Matches rule Creation of an Executable by an Executable by frack113 at Sigma Integrated Rule Set (GitHub)
Detects the creation of an executable by another executable

Additional Context

No response

[pauby]

I'm unclear on what the issue is.

The files that are in your package are uploaded directly to VirusTotal. Install-ChocolateyZipPackage hasn't done anything to the Zip files that are in the package (or their hashes would have changed) so I'm unsure how this comes in to play to ensure that your files are receiving AV detections.

And I also understand Choco doesn't handle how anti-virus scanners work.

I'm unclear what you mean here. Can you elaborate?

[laura-rodriguez]

Hi @pauby,

I'm new to the process of uploading packages into Chocolatey, so I apologize if I wasn't clear enough. This issue is mostly a question about what things a maintainer can do to avoid false positives.

As I mentioned, I've submitted a package, a zip file that contains a .exe file, and VirusTotal is reporting a warning for a potential vulnerability (trojan.Malware.300983.susgen). In order to analyze and mitigate the warning, I went ahead and uploaded the zip files and NuGet package to VirusTotal, and no vulnerabilities were detected, as you can see here:

• VirusTotal Report Windows x64
• VirusTotal Report Windows x86
• VirusTotal Report Choco NuGet pkg

As no vulns were detected, I dug deeper into the VirusTotal report provided in the Chocolatey package dashboard, and I noticed this particular one:

Matches rule Password Protected Compressed File Extraction Via 7Zip by Nasreddine Bencherchali (Nextron Systems) at Sigma Integrated Rule Set (GitHub)
Detects usage of 7zip utilities (7z.exe, 7za.exe and 7zr.exe) to extract password protected zip files.

Considering all files don't throw any vulns independently, is it possible that this MEDIUM vuln is caused by Install-ChocolateyZipPackage and the way 7Zip utilities are being used underline? Is there any recommendation to mitigate false positives that can be done on the Choco scripts side?