From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.text.pandoc/29794 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Gregory Weber Newsgroups: gmane.text.pandoc Subject: Re: Detected as trojan in chocolatey repo Date: Wed, 15 Dec 2021 17:13:19 -0800 (PST) Message-ID: <0209b12b-3ad1-4fbc-abed-21345db9c773n@googlegroups.com> References: <1ae0839c-ca1c-4845-8755-33235432ede2n@googlegroups.com> Reply-To: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_8412_1198921680.1639617199995" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="27186"; mail-complaints-to="usenet@ciao.gmane.io" To: pandoc-discuss Original-X-From: pandoc-discuss+bncBDVM5VNNVUEBBMNF5KGQMGQEVPTT2UI-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Thu Dec 16 02:13:26 2021 Return-path: Envelope-to: gtp-pandoc-discuss@m.gmane-mx.org Original-Received: from mail-oi1-f192.google.com ([209.85.167.192]) by ciao.gmane.io with esmtps (TLS1.3:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.92) (envelope-from ) id 1mxfKn-0006kr-Sh for gtp-pandoc-discuss@m.gmane-mx.org; Thu, 16 Dec 2021 02:13:26 +0100 Original-Received: by mail-oi1-f192.google.com with SMTP id w131-20020acac689000000b002a813c6e600sf15018199oif.1 for ; Wed, 15 Dec 2021 17:13:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20210112; h=sender:date:from:to:message-id:in-reply-to:references:subject :mime-version:x-original-sender:reply-to:precedence:mailing-list :list-id:list-post:list-help:list-archive:list-subscribe :list-unsubscribe; bh=1RUwSPd8bmM6gPL7uPu9BV6Kvcm0/kbgRNo0SgUVEnU=; b=BkslCoCCaHAC36YihNBor1NK1mPSjuGfzK3Qn6en9mLqKX78vazS+U1QFBmgt/em5C JhfFEl8i90ctMVLycfe2vQlKeXwDdBIrsMKd8YqxqVIOyQREcfxJ92vtLRPObpbonNaF JD0PxcvsBIYrGOP2/r/jNcZx6mXwLjkU69N86GkWxASygeqIKmMUfK1VdSski7yIaQkk 9N1AjHVimGAWWEzcXWxpaAjuBpiSpxYGoHSzeJolKhEji1cwSXTVryziqaQEZ8b11VB4 wjsXYaZzpjpl/b6xhJdOxsd6LjGE9Nxa0YRsnNKC5vmZsfMWRQ935QeVm10Ifgq50HN+ Hhng== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=date:from:to:message-id:in-reply-to:references:subject:mime-version :x-original-sender:reply-to:precedence:mailing-list:list-id :list-post:list-help:list-archive:list-subscribe:list-unsubscribe; bh=1RUwSPd8bmM6gPL7uPu9BV6Kvcm0/kbgRNo0SgUVEnU=; b=mlLY7GvjkPqkpRt49RF0tP3PiSg6VMLH1PG7miT6qAQRClnjovhODNcIIfB6c1Wjds if7WpJ6OtNBQlt+/T2WYvI3tPEq1B6keKtJVaqR9Mzd219MM7xYc3M4bq/VRNvIALcu7 WQR5Yg8DQUT8Z8XpYOVbksWY/Bnybd43HG5fSmVGpLuRXHXBVDJWr276G74Lz5tzQcXk 99KzjtpHwxXO6lCOJ39RRYEIb9VJJKA2DiYosew+gS4fut8C+9hntITtIZtMVTsVSQ72 PSMYzGZvV9PlMuXKPk20/qteLrx9OUsPCb4+cKtA3IxF7RFmM1WL/SUeItf5IVSql020 JK3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=sender:x-gm-message-state:date:from:to:message-id:in-reply-to :references:subject:mime-version:x-original-sender:reply-to :precedence:mailing-list:list-id:x-spam-checked-in-group:list-post :list-help:list-archive:list-subscribe:list-unsubscribe; bh=1RUwSPd8bmM6gPL7uPu9BV6Kvcm0/kbgRNo0SgUVEnU=; b=TBkKm3LKi9lMYXDqG4VSoTzL8lLFeQy1tIT8mMjIDQstPGvXnkgY2Ex85ypeG382DY Y6/kFvHIdqfDVFGNMiybgrUlsXP0tpguvfLKqlwnBTwCvU0B5buhzgZNGcwO6TnMxli1 okhGdB85UnYZXp/ixHI8zFps7eM0jLzyhgnyDeJzql8ke5iaIl3DuFzEv5wJIRc5e7X9 kahUZ2pOb6/miBsyMqZQBIbV2wbt0AO2QAueX9B+deY2QijZveWe+deJBDw3WFR5AKUS Exx+lqFbdCiAMzfOnU4aJV4FepfypEdtkg1vnzateyTlmPHQU8ZvqYYHd+SPnAmiJE6/ IiQQ== Original-Sender: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org X-Gm-Message-State: AOAM533ekWN0Pore8a8WotjCbfBNFN0FUJfi+r1b3Xhy/fXxUYSlwOlp FuoJR4yNaAzAn7QIz5bTs70= X-Google-Smtp-Source: ABdhPJwC4ayjDGW6AGeMFKUDqO2ejjvC9ZCveO+tDu5KKpbPgBmmrEug8Av4mIE7Lth7ZOMTXwHqWQ== X-Received: by 2002:a05:6808:1485:: with SMTP id e5mr2405430oiw.156.1639617202098; Wed, 15 Dec 2021 17:13:22 -0800 (PST) X-BeenThere: pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org Original-Received: by 2002:a05:6808:1921:: with SMTP id bf33ls967982oib.6.gmail; Wed, 15 Dec 2021 17:13:20 -0800 (PST) X-Received: by 2002:a05:6808:1aa8:: with SMTP id bm40mr2277049oib.38.1639617200692; Wed, 15 Dec 2021 17:13:20 -0800 (PST) In-Reply-To: <1ae0839c-ca1c-4845-8755-33235432ede2n-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> X-Original-Sender: spottedMetal-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Precedence: list Mailing-list: list pandoc-discuss-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org; contact pandoc-discuss+owners-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org List-ID: X-Google-Group-Id: 1007024079513 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , Xref: news.gmane.io gmane.text.pandoc:29794 Archived-At: ------=_Part_8412_1198921680.1639617199995 Content-Type: multipart/alternative; boundary="----=_Part_8413_792406892.1639617199995" ------=_Part_8413_792406892.1639617199995 Content-Type: text/plain; charset="UTF-8" According to https://community.chocolatey.org/packages """ Moderation Every version of each package undergoes a rigorous moderation process before it goes live that typically includes: - Security , consistency, and quality checking - Installation testing - Virus checking through VirusTotal - Human moderators who give final review and sign off More detail at Security and Moderation . """ So it doesn't seem that virus scanning on the chocolatey repository is a paid feature. On Thursday, December 9, 2021 at 4:25:14 PM UTC-5 jmroos...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org wrote: > > Hello, are you the maintainer of your software on chocolatey? Do you have > issues with false positives? Hope that's all this is. I don't even know why > the repo installed this package; I didn't get a dependency error when I > uninstalled it...maybe I removed the software it came with. The file was > created on the 3rd, but didn't get picked up until a full drive idle scan > this morning. So real-time missed it. Probably because I have chocolatey > trusted. Everything is supposed to be scanned already, I thought. Then > again, they offer integrated virus scanning as a paid feature; I hope that > doesn't mean they don't scan pushed packages by default. > > Usually Kaspersky is pretty good about labeling PUA detections (will say > *not-a-virus* right on the label) and it isn't heuristic either which is > naturally a lot more likely to be false. So it tripped some signature. That > doesn't mean it can't be a false positive though. Unfortunately I deleted > the file before I thought to upload it to VirusTotal or send it in. I > scanned the Windows zip and source code from Github to see if it caused a > detection as well though and didn't detect anything. Also, > *pandoc-citeproc.exe* is not in those archives anyway, perhaps those data > are associated with the chocolatey package specifically? > > Just wanted to inform. I don't think anything bad happened to my PC. I > hope it isn't indicative of someone somehow sneaking trojans into other > legitimate chocolatey packages after they've been pushed to the repo. That > seems like a stretch though. > > If you have any insight on this I'd appreciate it. I might just need to > switch antivirus providers. Their firewall has been aggravating me for days > as it is. Have a nice day. > > -- You received this message because you are subscribed to the Google Groups "pandoc-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to pandoc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To view this discussion on the web visit https://groups.google.com/d/msgid/pandoc-discuss/0209b12b-3ad1-4fbc-abed-21345db9c773n%40googlegroups.com. ------=_Part_8413_792406892.1639617199995 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable According to https://community.chocolatey.org/packages

<= div>"""
Moderation

Eve= ry version of each package undergoes a rigorous moderation process before i= t goes live that typically includes:

More detail at Sec= urity and Moderation.

"""

<= div>So it doesn't seem that virus scanning on the chocolatey repository is = a paid feature.
On Thursday, December 9, 2021 at 4:25:14 PM UTC-5 jmroos...@gma= il.com wrote:

Hello, are you the maintainer of your software on chocolatey? Do = you have issues with false positives? Hope that's all this is. I don= 9;t even know why the repo installed this package; I didn't get a depen= dency error when I uninstalled it...maybe I removed the software it came wi= th. The file was created on the 3rd, but didn't get picked up until a f= ull drive idle scan this morning. So real-time missed it. Probably because = I have chocolatey trusted. Everything is supposed to be scanned already, I = thought. Then again, they offer integrated virus scanning as a paid feature= ; I hope that doesn't mean they don't scan pushed packages by defau= lt.

Usually Kaspersky is pretty good about lab= eling PUA detections (will say not-a-virus right on the label)= and it isn't heuristic either which is naturally a lot more likely to = be false. So it tripped some signature. That doesn't mean it can't = be a false positive though. Unfortunately I deleted the file before I thoug= ht to upload it to VirusTotal or send it in. I scanned the Windows zip and = source code from Github to see if it caused a detection as well though and = didn't detect anything. Also, pandoc-citeproc.exe is not in those archives anyway, perhaps those data are associated wit= h the chocolatey package specifically?
=
Just wanted to inform. I don't= think anything bad happened to my PC. I hope it isn't indicative of so= meone somehow sneaking trojans into other legitimate chocolatey packages af= ter they've been pushed to the repo. That seems like a stretch though. =

If you have any insight on this I'd appreciate it. I might just = need to switch antivirus providers. Their firewall has been aggravating me = for days as it is. Have a nice day.

<= div>3D""

--
You received this message because you are subscribed to the Google Groups &= quot;pandoc-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an e= mail to pand= oc-discuss+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
To view this discussion on the web visit https://groups.google.com/d= /msgid/pandoc-discuss/0209b12b-3ad1-4fbc-abed-21345db9c773n%40googlegroups.= com.
------=_Part_8413_792406892.1639617199995-- ------=_Part_8412_1198921680.1639617199995--