Primary forum for Cygwin, a GNU-Linux-like environment on Windows

Watts, Simon (UK | 23 Apr 2012 10:28

VIRUS: XWin.exe 1.12.0-4 "Bloodhound.Sonar.9"

Just performed a routine update to cygwin, which resulted in the updated XWin.exe being quarantined due to
a virus threat.

Details:

	setup.exe version: 	2.769
	source: 	http://cygwin.xl-mirror.nl
	xorg-servers-common version: 	1.12.0-4

Symantec Endpoint Protection reported XWin.exe contained "Bloodhound.Sonar.9"

	file size:	2828127
	hash:	157814B5160244D44E469CA9829124DABA14426F3D60E6A22B52E953625CA0B2
	category:	application heuristic
	scan type:	SONAR
	SONAR Risk level:	High
	SONAR:	High

Reverting back to 1.12.0-3 from same source does *not* show this issue.

Could be a false positive?  But AV policy prevents me from running it.

Regards, 

Simon.

======================================================================
Simon A Watts CPhys CITP   Northrop Grumman Mission Systems Europe Ltd
Senior Software Engineer                                 Leander
House

(Continue reading)

headers

Yaakov (Cygwin/X | 23 Apr 2012 10:51

Re: VIRUS: XWin.exe 1.12.0-4 "Bloodhound.Sonar.9"

On 2012-04-23 03:28, Watts, Simon (UK) wrote:
> Just performed a routine update to cygwin, which resulted in the updated
 > XWin.exe being quarantined due to a virus threat.

http://cygwin.com/faq/faq-nochunks.html#faq.setup.virus

Yaakov
Cygwin/X

headers

Andrey Repin | 23 Apr 2012 12:52

Re: VIRUS: XWin.exe 1.12.0-4 "Bloodhound.Sonar.9"

Greetings, Watts, Simon (UK)!

> Just performed a routine update to cygwin, which resulted in the updated XWin.exe being quarantined due
to a virus threat.

> Details:

>         setup.exe version:      2.769
>         source:         http://cygwin.xl-mirror.nl
>         xorg-servers-common version:    1.12.0-4

> Symantec Endpoint Protection reported XWin.exe contained "Bloodhound.Sonar.9"

>         file size:      2828127
>         hash:   157814B5160244D44E469CA9829124DABA14426F3D60E6A22B52E953625CA0B2
>         category:       application heuristic
>         scan type:      SONAR
>         SONAR Risk level:       High
>         SONAR:  High

> Reverting back to 1.12.0-3 from same source does *not* show this issue.

> Could be a false positive?  But AV policy prevents me from running it.

From the report, it seems like it's AV heuristic backfired.
https://www.virustotal.com/file/157814b5160244d44e469ca9829124daba14426f3d60e6a22b52e953625ca0b2/analysis/

--
WBR,
Andrey Repin (anrdaemon <at> freemail.ru) 23.04.2012, <14:39>

(Continue reading)