Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#67474 - [wine] [security] detected as malware by several VirusTotal scanners

Attached to Project: Community Packages
Opened by Ruben (rub3n) - Monday, 03 August 2020, 16:26 GMT
Last edited by freswa (frederik) - Monday, 03 August 2020, 16:44 GMT
Task Type Bug Report
Category Security
Status Assigned
Assigned To Felix Yan (felixonmars)
Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


When installing wine-5.14-2 the files

were detected as Threats by Sophos. Several scanners from VirusTotal also claim that those files are malware:

msidb.exe :

netstat.exe :

whoami.exe :

Additional info:
* Version: wine-5.14-2

* SHA256-sums:
msidb.exe: baa755b0f25e84842e1b0840bd2ceee18109f776d8ae3c3a5aeb5571a76c8e9b

netstat.exe: b1be394bcc993a53d8623d2bc57ea6eb136e7849759e91846270dd8998e4d4e6

This task depends upon

Comment by Jelle van der Waa (jelly) - Monday, 03 August 2020, 18:06 GMT
Does wine upstream know about this issue? As it's not something we can really do about, if these tools flag it by accident. Is there a way to report it as false positive?
Comment by Maciej Stanczew (stanczew) - Monday, 03 August 2020, 20:03 GMT
This started appearing probably as a result of enabling Wine builds in PE format ( FS#67317 ).
Official WineHQ binary releases are also built as PE, so we can check those files directly from upstream, e.g. for Ubuntu:

Or for Fedora:

There are less hits in total, but they are still present, and there are differences between distributions. (Maybe compilation flags have a say here?)

Anyhow, those look like generic, heuristic hits, which should be false positive. There are some bugs and threads with similar issues:
Comment by Marcin Andrzejewski (mpan) - Tuesday, 04 August 2020, 17:20 GMT
I did a rebuild from the source signed by DA23579A74D4AD9AF9D3F945CEFAC8EAAF17519D and while the package is not reproducible and the file differs, my “msidb.exe” receives 12/60. Supports the claim it’s a false positive.