FS#67474 - [wine] [security] detected as malware by several VirusTotal scanners

Attached to Project: Community Packages
Opened by Ruben (rub3n) - Monday, 03 August 2020, 16:26 GMT
Last edited by Felix Yan (felixonmars) - Sunday, 30 May 2021, 21:07 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
When installing wine-5.14-2 the files
/usr/lib32/wine/msidb.exe
/usr/lib32/wine/netstat.exe
/usr/lib32/wine/whoami.exe

were detected as Threats by Sophos. Several scanners from VirusTotal also claim that those files are malware:

msidb.exe : https://www.virustotal.com/gui/file/baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b/detection

netstat.exe : https://www.virustotal.com/gui/file-analysis/N2YyOWIzZDc2MWY4MDUzMTMzOGIzNzhmMThjZWMyZTQ6MTU5NjQ3MTEyOA==/summary

whoami.exe :https://www.virustotal.com/gui/file/b7ca25680040a51c22101d1d0b72b064717099d61b3af889b7520552ad43e366/detection

Additional info:
* Version: wine-5.14-2

* SHA256-sums:
msidb.exe: baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b

netstat.exe: b1be394bcc993a53d8623d2bc57ea6eb136e7849759e91846270dd8998e4d4e6

whoami.exe:
b7ca25680040a51c22101d1d0b72b064717099d61b3af889b7520552ad43e366
This task depends upon

Closed by  Felix Yan (felixonmars)
Sunday, 30 May 2021, 21:07 GMT
Reason for closing:  Not a bug
Additional comments about closing:  It is a false positive. Please reopen if there is anything we should do here.
Comment by Jelle van der Waa (jelly) - Monday, 03 August 2020, 18:06 GMT
Does wine upstream know about this issue? As it's not something we can really do about, if these tools flag it by accident. Is there a way to report it as false positive?
Comment by Maciej Stanczew (stanczew) - Monday, 03 August 2020, 20:03 GMT
This started appearing probably as a result of enabling Wine builds in PE format ( FS#67317 ).
Official WineHQ binary releases are also built as PE, so we can check those files directly from upstream, e.g. for Ubuntu:
https://dl.winehq.org/wine-builds/ubuntu/dists/focal/main/binary-i386/
https://www.virustotal.com/gui/file/95beb905262b620bbe57c13440c7a47886dbe5f6d1677477dfbb45aed7b26225/detection
https://www.virustotal.com/gui/file/31b88d5f85b15b28daf7c731e33a32ac377c957f033c15bcd2030d35f37c58ac/detection
https://www.virustotal.com/gui/file/916393058c3da9a8d86b5e8b42cd3bd180e9bffa3a87f0b3f20a542b0655628f/detection

Or for Fedora:
https://dl.winehq.org/wine-builds/fedora/32/i686/
https://www.virustotal.com/gui/file/150d3c6aea0fb0d14828d9dd3dce1405b928e8a3cbd61abfb3d0fcc1a613eb45/detection
https://www.virustotal.com/gui/file/dac8c84c8b03086976d3c67e5eadee940a68770c1883c3c306d2c998631f286e/detection
https://www.virustotal.com/gui/file/7b46a274c56b30d4da025e11db66c3a4c72504f0da3d05db314eb2da24d7243f/detection

There are less hits in total, but they are still present, and there are differences between distributions. (Maybe compilation flags have a say here?)

Anyhow, those look like generic, heuristic hits, which should be false positive. There are some bugs and threads with similar issues:
https://bugs.winehq.org/show_bug.cgi?id=34092
https://bugs.winehq.org/show_bug.cgi?id=44057
https://bugs.winehq.org/show_bug.cgi?id=45852
https://bugs.winehq.org/show_bug.cgi?id=48418
https://bugs.winehq.org/show_bug.cgi?id=48681
https://forum.winehq.org/viewtopic.php?t=33190
https://forum.winehq.org/viewtopic.php?t=33444
https://forum.winehq.org/viewtopic.php?t=33597
https://forum.winehq.org/viewtopic.php?t=33993
Comment by mpan (mpan) - Tuesday, 04 August 2020, 17:20 GMT
I did a rebuild from the source signed by DA23579A74D4AD9AF9D3F945CEFAC8EAAF17519D and while the package is not reproducible and the file differs, my “msidb.exe” receives 12/60. Supports the claim it’s a false positive.

Loading...