For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

Fossies Administrator
Hi,

just as information: As for all offered software packages the FOSS server
fossies.org forced also for the just released tika-1.23-src.zip archive a
malware check by the VirusTotal site, see the line "VirusTotal check" at
the top of the page

  https://fossies.org/linux/misc/tika-1.23-src.zip/

You may click on the results to see the detailed report on
https://www.virustotal.com.

Unfortunately 7 of 52 scanning engines found a match for tika-1.23-src.zip.

Hopefully that are all False positives related to the nature of Tika but
at least for tika-1.21-src.zip "only" 2 of 45 engines have found a match,
see

  https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/

Regards

Jens

--
FOSSIES - The Fresh Open Source Software archive
mainly for Internet, Engineering and Science
https://fossies.org/
Reply | Threaded
Open this post in threaded view
|

Re: For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

Tim Allison
Jens,
   Thank you for the note. We added two compression quines to the unit
tests, and that looks like what several of the engines are triggering on.
I’m on my phone now and can’t easily figure out if VirusTotal points to
specific files. Without that info, I can’t explain Riskware.Win32.Patcher.oltzn
or PATH_SLIP.

The latter also was found in 1.21. I’ll take a look early next week.

I find it eye-opening that the quines didn’t set off _more_ AV engines!🤣

Thank you, again!

Cheers,
    Tim

On Fri, Dec 6, 2019 at 5:36 PM Fossies Administrator <
[hidden email]> wrote:

> Hi,
>
> just as information: As for all offered software packages the FOSS server
> fossies.org forced also for the just released tika-1.23-src.zip archive a
> malware check by the VirusTotal site, see the line "VirusTotal check" at
> the top of the page
>
>   https://fossies.org/linux/misc/tika-1.23-src.zip/
>
> You may click on the results to see the detailed report on
> https://www.virustotal.com.
>
> Unfortunately 7 of 52 scanning engines found a match for tika-1.23-src.zip.
>
> Hopefully that are all False positives related to the nature of Tika but
> at least for tika-1.21-src.zip "only" 2 of 45 engines have found a match,
> see
>
>   https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/
>
> Regards
>
> Jens
>
> --
> FOSSIES - The Fresh Open Source Software archive
> mainly for Internet, Engineering and Science
> https://fossies.org/
>
Reply | Threaded
Open this post in threaded view
|

Re: For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

Fossies Administrator
Hi Tim,

>   Thank you for the note. We added two compression quines to the unit
> tests, and that looks like what several of the engines are triggering on.
> I’m on my phone now and can’t easily figure out if VirusTotal points to
> specific files. Without that info, I can’t explain Riskware.Win32.Patcher.oltzn
> or PATH_SLIP.
>
> The latter also was found in 1.21. I’ll take a look early next week.
>
> I find it eye-opening that the quines didn’t set off _more_ AV engines!🤣

A completion: Since for unknown reasons Fossies hasn't detected the
release of tika version 1.22 on Fossies no VirusTotal check was made. So I
have now made up for it manually with a a little bit surprising result
(even 14 of 56 matching engines)

Tika        1.21 (2 of 52)      1.22 (14 of 56)                   1.23 (7 of 52)
########### ################### ################################# ############################
Cyren       PATH_SLIP           PATH_SLIP                         PATH_SLIP
Zoner       Probably RTFBinData
Alibaba                         TrojanArcBomb:GZip/Agent.836c5791
Symantec                        Trojan.Gen.NPE
ESET-NOD32                      Archbomb.ZIP                      Archbomb.ZIP
Kaspersky                       Trojan-ArcBomb.GZip.Agent.e       Trojan-ArcBomb.GZip.Agent.e
NANO-Antiv.                     Riskware.Win32.Patcher.oltzn      Riskware.Win32.Patcher.oltzn
AegisLab                        Trojan.GZip.Agent.61c
Sophos                          Troj/ZipB-A                       Troj/ZipB-A
Comodo                          Malware@#3vccmnmqk3bh6
SentinelOne                     DFI - Malicious Archive           DFI - Malicious Archive
Fortinet                        Riskware/GZunlimited
ZoneAlarm                       Trojan-ArcBomb.GZip.Agent.e       Trojan-ArcBomb.GZip.Agent.e
Ikarus                          Trojan-Downloader.PS.Agent
Qihoo-360                       Win32/Trojan.BO.316

For tika 1.21 I repeated the check because the signatures could be updated
in the meantime. But still 2 matches (now of 52 instead of 45 engines).

Regards

Jens

> On Fri, Dec 6, 2019 at 5:36 PM Fossies Administrator <
> [hidden email]> wrote:
>
>> Hi,
>>
>> just as information: As for all offered software packages the FOSS server
>> fossies.org forced also for the just released tika-1.23-src.zip archive a
>> malware check by the VirusTotal site, see the line "VirusTotal check" at
>> the top of the page
>>
>>   https://fossies.org/linux/misc/tika-1.23-src.zip/
>>
>> You may click on the results to see the detailed report on
>> https://www.virustotal.com.
>>
>> Unfortunately 7 of 52 scanning engines found a match for tika-1.23-src.zip.
>>
>> Hopefully that are all False positives related to the nature of Tika but
>> at least for tika-1.21-src.zip "only" 2 of 45 engines have found a match,
>> see
>>
>>   https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/
>>
>> Regards
>>
>> Jens
>>
>> --
>> FOSSIES - The Fresh Open Source Software archive
>> mainly for Internet, Engineering and Science
>> https://fossies.org/
Reply | Threaded
Open this post in threaded view
|

Re: For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

Tim Allison
So we’ve improved!!! LOL!

We added the quines in 1.22. Still on my phone and can’t dig in. I wonder
if the non compression hits are from tools that timed out on 1.23 but did
not timeout on 1.22.

Is there any way to tell which files are triggering the hits?

Thank you, Jens!!!

Cheers,
    Tim

On Sat, Dec 7, 2019 at 10:20 AM Fossies Administrator <
[hidden email]> wrote:

> Hi Tim,
>
> >   Thank you for the note. We added two compression quines to the unit
> > tests, and that looks like what several of the engines are triggering on.
> > I’m on my phone now and can’t easily figure out if VirusTotal points to
> > specific files. Without that info, I can’t explain
> Riskware.Win32.Patcher.oltzn
> > or PATH_SLIP.
> >
> > The latter also was found in 1.21. I’ll take a look early next week.
> >
> > I find it eye-opening that the quines didn’t set off _more_ AV engines!🤣
>
> A completion: Since for unknown reasons Fossies hasn't detected the
> release of tika version 1.22 on Fossies no VirusTotal check was made. So I
> have now made up for it manually with a a little bit surprising result
> (even 14 of 56 matching engines)
>
> Tika        1.21 (2 of 52)      1.22 (14 of 56)                   1.23 (7
> of 52)
> ########### ################### #################################
> ############################
> Cyren       PATH_SLIP           PATH_SLIP                         PATH_SLIP
> Zoner       Probably RTFBinData
> Alibaba                         TrojanArcBomb:GZip/Agent.836c5791
> Symantec                        Trojan.Gen.NPE
> ESET-NOD32                      Archbomb.ZIP
> Archbomb.ZIP
> Kaspersky                       Trojan-ArcBomb.GZip.Agent.e
>  Trojan-ArcBomb.GZip.Agent.e
> NANO-Antiv.                     Riskware.Win32.Patcher.oltzn
> Riskware.Win32.Patcher.oltzn
> AegisLab                        Trojan.GZip.Agent.61c
> Sophos                          Troj/ZipB-A
>  Troj/ZipB-A
> Comodo                          Malware@#3vccmnmqk3bh6
> SentinelOne                     DFI - Malicious Archive           DFI -
> Malicious Archive
> Fortinet                        Riskware/GZunlimited
> ZoneAlarm                       Trojan-ArcBomb.GZip.Agent.e
>  Trojan-ArcBomb.GZip.Agent.e
> Ikarus                          Trojan-Downloader.PS.Agent
> Qihoo-360                       Win32/Trojan.BO.316
>
> For tika 1.21 I repeated the check because the signatures could be updated
> in the meantime. But still 2 matches (now of 52 instead of 45 engines).
>
> Regards
>
> Jens
>
> > On Fri, Dec 6, 2019 at 5:36 PM Fossies Administrator <
> > [hidden email]> wrote:
> >
> >> Hi,
> >>
> >> just as information: As for all offered software packages the FOSS
> server
> >> fossies.org forced also for the just released tika-1.23-src.zip
> archive a
> >> malware check by the VirusTotal site, see the line "VirusTotal check" at
> >> the top of the page
> >>
> >>   https://fossies.org/linux/misc/tika-1.23-src.zip/
> >>
> >> You may click on the results to see the detailed report on
> >> https://www.virustotal.com.
> >>
> >> Unfortunately 7 of 52 scanning engines found a match for
> tika-1.23-src.zip.
> >>
> >> Hopefully that are all False positives related to the nature of Tika but
> >> at least for tika-1.21-src.zip "only" 2 of 45 engines have found a
> match,
> >> see
> >>
> >>   https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/
> >>
> >> Regards
> >>
> >> Jens
> >>
> >> --
> >> FOSSIES - The Fresh Open Source Software archive
> >> mainly for Internet, Engineering and Science
> >> https://fossies.org/
Reply | Threaded
Open this post in threaded view
|

Re: For tika-1.23-src.zip 7 of 52 scanning engines on VirusTotal found a match

Fossies Administrator
Hi Tim,

you are right that one should regard also the time-out of some engines, so
here a new table. For better readability and to avoid line wrapping in the
mail I omitted the 1.21 results (with two matches), sorted the table
alphabetically according to the engine names and replaced sone long virus
names by an abbreviation:

Tika        1.22 (14 of 56)       1.23 (7 of 52)       1.23 r (4 of 46)
########### ##################### #################### ################
AegisLab    Trojan.GZip.Agent.6!c
Alibaba     TJAB1                                      TJAB1
Comodo      MW@#3v
Cyren       PATH_SLIP             PATH_SLIP            (-)
ESET-NOD32  Archbomb.ZIP          Archbomb.ZIP         Archbomb.ZIP
Fortinet    Riskware/GZunlimited
Ikarus      TJDPSA                (-)                  (-)
Kaspersky   TJABe                 TJABe                TJABe
NANO-Antiv  RWW32P                RRWW32P              (-)
Qihoo-360   Win32/Trojan.BO.316
SentinelOne DFI - Malic. Archive  DFI - Malic. Archive
Sophos      Troj/ZipB-A           Troj/ZipB-A
Symantec    Trojan.Gen.NPE
ZoneAlarm   TJABe                 TJABe                TJABe
Zoner       (-)                   (-)                  (-)

(-)    "timeout"
TJAB1  TrojanArcBomb:GZip/Agent.836c5791
TJAB2  TrojanArcBomb:GZip/Agent.1b53fc34
TJABe  Trojan-ArcBomb.GZip.Agent.e
MW@#3v Malware@#3vccmnmqk3bh6
TJDPSA Trojan-Downloader.PS.Agent
RWW32P Riskware.Win32.Patcher.oltzn

Additionally I unpacked and repacked the tika-1.23-src.zip archive and let
the so generated zip archive also check by VirusTotal (right column). The
a little bit irritating result is that two engines don't match (two other
engines matching for the original zip archive unfortunately timed out).

A manual check on my Linux home system with the tool ClamAV
using additional unofficial signatures found

  Sanesecurity.Malware.27384.ZipHeur.ZipSlip
in
  tika-app/src/test/resources/test-data/testZip_relative.zip

and

  Sanesecurity.Malware.27384.ZipHeur.ZipSlip
in
  tika-app/src/test/resources/test-data/testZip_overlappingNames.zip

Ok, both matches are caused by the special contents the file names point
out. So I had first the suspicion that all the matches may be caused by
files in the "tika-app/src/test/resources/test-data/" sub-directory and
packed that files in a test zip file and let it check. But only the engine
"Cyren" found a match "PATH_SLIP" so there must exist more files leading
to the above matches.

That's all a little bit irritating and it seems the VirusTotal check can
only be used as a rough hint (especially since the availability of some
engines is very fluctuating).

If someone has access to one of the above mentioned engines an according
scan would be helpful to find out the triggering files.

Regards

Jens.

> So we’ve improved!!! LOL!
>
> We added the quines in 1.22. Still on my phone and can’t dig in. I wonder
> if the non compression hits are from tools that timed out on 1.23 but did
> not timeout on 1.22.
>
> Is there any way to tell which files are triggering the hits?
>
> Thank you, Jens!!!
>
> Cheers,
>    Tim
>
> On Sat, Dec 7, 2019 at 10:20 AM Fossies Administrator <
> [hidden email]> wrote:
>
>> Hi Tim,
>>
>>>   Thank you for the note. We added two compression quines to the unit
>>> tests, and that looks like what several of the engines are triggering on.
>>> I’m on my phone now and can’t easily figure out if VirusTotal points to
>>> specific files. Without that info, I can’t explain
>> Riskware.Win32.Patcher.oltzn
>>> or PATH_SLIP.
>>>
>>> The latter also was found in 1.21. I’ll take a look early next week.
>>>
>>> I find it eye-opening that the quines didn’t set off _more_ AV engines!🤣
>>
>> A completion: Since for unknown reasons Fossies hasn't detected the
>> release of tika version 1.22 on Fossies no VirusTotal check was made. So I
>> have now made up for it manually with a a little bit surprising result
>> (even 14 of 56 matching engines)
>>
>> Tika        1.21 (2 of 52)      1.22 (14 of 56)                   1.23 (7
>> of 52)
>> ########### ################### #################################
>> ############################
>> Cyren       PATH_SLIP           PATH_SLIP                         PATH_SLIP
>> Zoner       Probably RTFBinData
>> Alibaba                         TrojanArcBomb:GZip/Agent.836c5791
>> Symantec                        Trojan.Gen.NPE
>> ESET-NOD32                      Archbomb.ZIP
>> Archbomb.ZIP
>> Kaspersky                       Trojan-ArcBomb.GZip.Agent.e
>>  Trojan-ArcBomb.GZip.Agent.e
>> NANO-Antiv.                     Riskware.Win32.Patcher.oltzn
>> Riskware.Win32.Patcher.oltzn
>> AegisLab                        Trojan.GZip.Agent.61c
>> Sophos                          Troj/ZipB-A
>>  Troj/ZipB-A
>> Comodo                          Malware@#3vccmnmqk3bh6
>> SentinelOne                     DFI - Malicious Archive           DFI -
>> Malicious Archive
>> Fortinet                        Riskware/GZunlimited
>> ZoneAlarm                       Trojan-ArcBomb.GZip.Agent.e
>>  Trojan-ArcBomb.GZip.Agent.e
>> Ikarus                          Trojan-Downloader.PS.Agent
>> Qihoo-360                       Win32/Trojan.BO.316
>>
>> For tika 1.21 I repeated the check because the signatures could be updated
>> in the meantime. But still 2 matches (now of 52 instead of 45 engines).
>>
>> Regards
>>
>> Jens
>>
>>> On Fri, Dec 6, 2019 at 5:36 PM Fossies Administrator <
>>> [hidden email]> wrote:
>>>
>>>> Hi,
>>>>
>>>> just as information: As for all offered software packages the FOSS
>> server
>>>> fossies.org forced also for the just released tika-1.23-src.zip
>> archive a
>>>> malware check by the VirusTotal site, see the line "VirusTotal check" at
>>>> the top of the page
>>>>
>>>>   https://fossies.org/linux/misc/tika-1.23-src.zip/
>>>>
>>>> You may click on the results to see the detailed report on
>>>> https://www.virustotal.com.
>>>>
>>>> Unfortunately 7 of 52 scanning engines found a match for
>> tika-1.23-src.zip.
>>>>
>>>> Hopefully that are all False positives related to the nature of Tika but
>>>> at least for tika-1.21-src.zip "only" 2 of 45 engines have found a
>> match,
>>>> see
>>>>
>>>>   https://fossies.org/linux/misc/legacy/tika-1.21-src.zip/
>>>>
>>>> Regards
>>>>
>>>> Jens
>>>>
>>>> --
>>>> FOSSIES - The Fresh Open Source Software archive
>>>> mainly for Internet, Engineering and Science
>>>> https://fossies.org/