This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Malwarebytes flags qdbusviewer-qt5.exe as Adware.Elex malware
On 2017-03-19 12:18, Ed Koerber via cygwin wrote:
> On Sunday, March 19, 2017 12:32 PM, Ray Donnelly wrote:
>> On Sun, Mar 19, 2017 at 5:19 PM, Ed Koerber via cygwin wrote:
>>> I am using the following version of cygwin on a Windows 7 computer:
>>> $ uname -a
>>> CYGWIN_NT-6.1 e250 2.6.0(0.304/5/3) 2016-08-31 14:27 i686 Cygwin
>>> Why does Malwarebytes flag this file:
>>> C:\cygwin\usr\x86_64-w64-mingw32\sys-root\mingw\bin\qdbusviewer-qt5.exe
>>> as Adware.Elex malware?
>> Probably because virus scanners are amongst the dumbest software on earth?
>> If you were to report it to Malwarebytes as a suspected false positive
>> that would be helpful.
> It bears asking to be thorough... are we sure that the cygwin package
> has not been compromised somehow?
As long as you install Cygwin setup-x86{,64} from https://cygwin.com and
it downloads packages from a current official mirror, you are protected
by browser validation (only as good as your browser) of HTTPS certificates,
GPG signature validation on the setup program and setup.ini files, and
SHA-2 SHA-512 message digest validation of the packages and contents.
Read the MB notes on adware e.g.
https://support.malwarebytes.com/customer/portal/articles/1834873-what-are-pup-detections-are-they-threats-and-should-they-be-deleted-?b_id=6438
"What are 'PUP' detections, are they threats and should they be deleted?
PUP detections are Potentially Unwanted Programs.
These are programs our researchers have found are sometimes added to a
system without the user's knowledge or approval.
In Malwarebytes Anti-Malware versions 2.0 and higher,
PUPs are set to be quarantined by default.
This can be confirmed in Settings > Detection and Protection >
Non-Malware Protection."
***********
This warning may be generated by generic detection of Windows code that
may resemble similar Windows code included in some adware. If this is
generated by a static file scan, especially of Cygwin code, rather than
while running the software, it is most likely a false positive.
If you downloaded and installed the software yourself from a reputable
source, with good validation, you should exclude the software.
With Cygwin you can always download the tools and source code to fairly
easily rebuild the binary packages, and some people other than the Cygwin
developers do, starting with the dll, apps, tools, etc. so they know all
their code can be rebuilt from the distributed source.
You can always uninstall the package using the setup program, or whatever
process is recommended by MB.
Alternatively you can ask MB for confirmation or reconsideration:
https://forums.malwarebytes.com/topic/3228-please-read-before-reporting-a-false-positive/
MB search for "false positive" does not return much useful until you
go into the Forums, and their products do not seem to have an easy way
integrated to submit reports and samples. This to me is a yellow flag,
as most similar products I have used make it easy to report and provide
samples of either suspected malware or false positives, which have
included earlier Cygwin and other Windows programs which were fine, and
were quickly recategorized in updates to the AV product.
You may be better served by good AV and ad blocking software that is
not in the Cygwin FAQ BLODA list:
https://cygwin.com/faq/faq.html#faq.using.bloda
For Windows 7 you could download and install MSE Microsoft Security
Essentials, using it with Windows Defender and Windows Firewall,
and a good ad blocker that detects known problems and actual bad
behaviour.
--
--
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple