Detected as trojan in chocolatey repo

Detected as trojan in chocolatey repo

[Jesse]

[-- Attachment #1.1: Type: text/plain, Size: 2134 bytes --]


Hello, are you the maintainer of your software on chocolatey? Do you have 
issues with false positives? Hope that's all this is. I don't even know why 
the repo installed this package; I didn't get a dependency error when I 
uninstalled it...maybe I removed the software it came with. The file was 
created on the 3rd, but didn't get picked up until a full drive idle scan 
this morning. So real-time missed it. Probably because I have chocolatey 
trusted. Everything is supposed to be scanned already, I thought. Then 
again, they offer integrated virus scanning as a paid feature; I hope that 
doesn't mean they don't scan pushed packages by default.

Usually Kaspersky is pretty good about labeling PUA detections (will say 
*not-a-virus* right on the label) and it isn't heuristic either which is 
naturally a lot more likely to be false. So it tripped some signature. That 
doesn't mean it can't be a false positive though. Unfortunately I deleted 
the file before I thought to upload it to VirusTotal or send it in. I 
scanned the Windows zip and source code from Github to see if it caused a 
detection as well though and didn't detect anything. Also, 
*pandoc-citeproc.exe* is not in those archives anyway, perhaps those data 
are associated with the chocolatey package specifically?

Just wanted to inform. I don't think anything bad happened to my PC. I hope 
it isn't indicative of someone somehow sneaking trojans into other 
legitimate chocolatey packages after they've been pushed to the repo. That 
seems like a stretch though. 

If you have any insight on this I'd appreciate it. I might just need to 
switch antivirus providers. Their firewall has been aggravating me for days 
as it is. Have a nice day.

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/1ae0839c-ca1c-4845-8755-33235432ede2n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 27361 bytes --]

Re: Detected as trojan in chocolatey repo

[Gregory Weber]

[-- Attachment #1.1: Type: text/plain, Size: 3306 bytes --]

According to https://community.chocolatey.org/packages

"""
Moderation

Every version of each package undergoes a rigorous moderation process 
before it goes live that typically includes:

   - Security 
   <https://docs.chocolatey.org/en-us/information/security#chocolatey.org-packages>, 
   consistency, and quality checking 
   <https://docs.chocolatey.org/en-us/community-repository/moderation/package-validator/rules/>
   - Installation testing 
   <https://docs.chocolatey.org/en-us/community-repository/moderation/package-verifier>
   - Virus checking through VirusTotal 
   <https://docs.chocolatey.org/en-us/information/security#chocolatey.org-packages>
   - Human moderators who give final review and sign off

More detail at Security 
<https://docs.chocolatey.org/en-us/information/security#chocolatey.org-packages>
 and Moderation 
<https://docs.chocolatey.org/en-us/community-repository/moderation>.
"""

So it doesn't seem that virus scanning on the chocolatey repository is a 
paid feature.
On Thursday, December 9, 2021 at 4:25:14 PM UTC-5 jmroos...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote:

>
> Hello, are you the maintainer of your software on chocolatey? Do you have 
> issues with false positives? Hope that's all this is. I don't even know why 
> the repo installed this package; I didn't get a dependency error when I 
> uninstalled it...maybe I removed the software it came with. The file was 
> created on the 3rd, but didn't get picked up until a full drive idle scan 
> this morning. So real-time missed it. Probably because I have chocolatey 
> trusted. Everything is supposed to be scanned already, I thought. Then 
> again, they offer integrated virus scanning as a paid feature; I hope that 
> doesn't mean they don't scan pushed packages by default.
>
> Usually Kaspersky is pretty good about labeling PUA detections (will say 
> *not-a-virus* right on the label) and it isn't heuristic either which is 
> naturally a lot more likely to be false. So it tripped some signature. That 
> doesn't mean it can't be a false positive though. Unfortunately I deleted 
> the file before I thought to upload it to VirusTotal or send it in. I 
> scanned the Windows zip and source code from Github to see if it caused a 
> detection as well though and didn't detect anything. Also, 
> *pandoc-citeproc.exe* is not in those archives anyway, perhaps those data 
> are associated with the chocolatey package specifically?
>
> Just wanted to inform. I don't think anything bad happened to my PC. I 
> hope it isn't indicative of someone somehow sneaking trojans into other 
> legitimate chocolatey packages after they've been pushed to the repo. That 
> seems like a stretch though. 
>
> If you have any insight on this I'd appreciate it. I might just need to 
> switch antivirus providers. Their firewall has been aggravating me for days 
> as it is. Have a nice day.
>
>

-- 
You received this message because you are subscribed to the Google Groups "pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/0209b12b-3ad1-4fbc-abed-21345db9c773n%40googlegroups.com.

[-- Attachment #1.2: Type: text/html, Size: 4239 bytes --]