Gmail thinks the JSFormat.sublime-package is a virus

[jondandois]

I was transferring my Sublimetext 3 installation, packages, settings etc between computers for a new setup and used Package Resource Viewer to access all of my installed packages. After zipping the whole Sublimetext folder (Installed Packages, Local, Packages...) and adding that to an email to myself, Gmail prompted that the zip contained a virus. After testing through all the different files, it seems that Gmail was identifying only JSFormat.sublime-package as potentially containing a virus. I saw closed issue 128. I don't really understand virus detectors, but it seems like if Gmail sees something there, perhaps there is a real bug / issue. I agree with Dev's comments at issue 128, and could not identify anything in the source that was apparently malicious, so I don't know what could be happening.

p.s. really like Jsformat though, just trying to help.

[jdavisclark]

@jondandois super weird. I've reviewed all the jsformat specific code to make sure nothing got past me in a pull request from someone else. It's clean. The only thing left to review is the dependencies in lib/, but I suspect that something is just throwing a false positive.

I'll play around with uploading specific files to gmail and see what, if anything, triggers it again.

[jondandois]

Could it be some interaction with Package Resource Viewer? I was under the impression that it just exposed the installed packages. I installed JSformat using the normal package control method and have been able to confirm this behavior on two separate machines with their own installs.

On Sep 13, 2016 10:16 AM, "Davis Clark" notifications@github.com wrote:

super weird. I've reviewed all the jsformat specific code to make sure nothing got past me in a pull request from someone else. It's clean. The only thing left to review is the dependencies in lib/, but I suspect that something is just throwing a false positive.

I'll play around with uploading specific files to gmail and see what, if anything, triggers it again.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jdc0589/JsFormat/issues/174#issuecomment-246695493, or mute the thread https://github.com/notifications/unsubscribe-auth/AUIcUgz16VenL8fStzdAqPfXxuPZgKwWks5qprAzgaJpZM4J7oEj .

[bitwiseman]

It might be worth asking google what triggered this warning. It is possible that it is not just one thing, but a combination of the package (zipped) file type, the file extension, and the contents.

[jondandois]

Good point. It seems to be coming from the jsbeautify lib (JsFormat/libs/jsbeautifier/unpackers/tests/) and a javacript file inside that dependency

[bitwiseman]

That would make sense. Virus code is often obfuscated to prevent users or tools from being able to analyze what it is doing. It might make sense to remove tests from the published packages.

Could you open an issue the the js-beautify project and link to this one? This is not a common scenario, so it may not be fixed in the short term, but it would be good to know and track it.

In the meanwhile, it is safe for you to remove that file and continue your migration.

[jdavisclark]

@bitwiseman that makes sense, im kind of impressed gmail is scanning this deeply now though. not long too long ago zip/archive detection was based solely on tar/zip/gz/etc... extension.