abravalheri
commented
1 year ago Hi @Widdar77, thank you very much for the report. Are you sure this is not a false positive?
Open ghost opened 1 year ago
abravalheri
commented
1 year ago Hi @Widdar77, thank you very much for the report. Are you sure this is not a false positive?
ghost
commented
1 year ago Hi @abravalheri
Thank you very much for the reply!
That is basically a question i want to ask a dev here cause i can't answer this. I'm not experienced with this topic and only an end-user that can't read the code or inspect anything. I'm dependent on the expertise of the developers. Can you guarantee that this is a false alarm and nothing is infected? (This package is a dependency for an app i want to use and i just scan all stuff i download to my computer)
abravalheri
commented
1 year ago As far as I know the only person generating the .exe files in this repository is @jaraco based on the code in https://github.com/pypa/setuptools/blob/main/launcher.c (which you can inspect to ensure it is safe for you; see also https://github.com/pypa/setuptools/blob/v68.2.2/tools/build_launchers.py). I am very sure he is not intentionally introducing any malware.
I did a quick search and this report comes up in other places for other software that ship pre-compiled stuff (e.g. in the go community) and there seems to be a generalised suspicion that the heuristics employed are prone to false positives:
In these issues you see stories where the provider seems to be irresponsive about false positives (I also got an NET::ERR_CERT_DATE_INVALID error when trying to access their website, which is a bit concerning for a company in the "security" field).
Maybe you should contact virustotal (which I assume to be the service you are using) and report that the MaxSecure Trojan.Malware.300983.susgen heuristic has been reported to be prone to false positives and suggest for them to investigate this further?
abravalheri
commented
1 year ago Another thing is that, if you install things with pip install ... instead of python setup.py install (the later is deprecated and should not be used anyway), none of the gui-*.exe or cli-*.exe files are executed.
ghost
commented
1 year ago Thanks for the reply. Then i could also delete the gui-.exe and cli-.exe after installation with pip install?
abravalheri
commented
1 year ago In theory yes, but I haven't tested...
Also note that setuptools is not a regular "package". It is a "package" for creating "packages"...
In most of the cases pip will install a brand new setuptools in an isolated Python virtual environment if you need to pip install another package that does not have a wheel published on PyPI...
The best would be exporting PIP_USE_PEP517=true environment variable to avoid those files get used. (there are other ways though to force pip to use the deprecated installation method for some packages, so some tools trying to tap into that may still be subject to failures).
setuptools version
68.2.2
Python version
Python 3.11
OS
Windows
Additional environment information
No response
Description
When i scan the downloaded zip from master or last release 68.2.2 and scan the zip package or the different cli-.exe and gui-.exe directly, i have virus detection with virustotal.com, here are the results: https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1 https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb
I'm not so experienced with this case and worry now if the project/files are secure to execute?
Expected behavior
Expected no virus alarm.
How to Reproduce
Reproducable by re-scanning.
Output
Scanns: https://www.virustotal.com/gui/file/7b2e59ba9dab730c6aaa28ffb1f7a3a198e2bbb4330a974609b5193f1baeb212?nocache=1 https://www.virustotal.com/gui/file/32acc1bc543116cbe2cff10cb867772df2f254ff2634c870aef0b46c4b696fdb