1214440 - Virus : false positive ?

Status: VERIFIED INVALID

(Thunderbird :: Security, defect)

Description

[David VANTYGHEM]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151006000732

Steps to reproduce:

Virus detected in Thunderbird. False positive ?
https://www.virustotal.com/fr/file/44707484ff28b99fea5c8072872d12fc2471133ab66085d5595c42a225d33bb2/analysis/1444773927/


Actual results:

Tested Thunderbird 38.3.0 for Windows with Virustotal.

Comment 1

[Wayne Mery (:wsmwk)]

Highly unlikely there is a problem.  
1. Thunderbird is automatically submitted to virustotal as part of the release process
2. http://releases.mozilla.org/pub/mozilla.org/thunderbird/releases/38.3.0/win32/en-US/Thunderbird%20Setup%2038.3.0.exe tests *completely clean* - https://www.virustotal.com/en/url/645d77a6934060e3de496e7f0b6c4bd7c2f598450f4db7b6924102664f91d4d1/analysis/1444781092/

I suspect you are getting a false positive because of how or to where the file was downloaded

Comment 2

[David VANTYGHEM]

The scan that you make automatically isn't useful because you scan the website, not the file. That's why each result is « Clean site ».
I scanned the file in your link http://releases.mozilla.org/pub/mozilla.org/thunderbird/releases/38.3.0/win32/en-US/Thunderbird%20Setup%2038.3.0.exe and the same virus is found : https://www.virustotal.com/fr/file/cdcc724fdbcdc5c6dbe838368749f2f8c226534b29634bee0c2c8b2aaa0e8425/analysis/

Comment 3

[Wayne Mery (:wsmwk)]

ludo and sylvestre may have more insight that me. And sylvestre may have access to the automation results where 38.3.0 was built


(In reply to David VANTYGHEM from comment #2)
> The scan that you make automatically isn't useful because you scan the
> website, not the file. That's why each result is « Clean site ».

3. Yes, what's on a website might be different from what a user downloads. And perhaps even more probable with a large an MDN as mozilla has. But it is untrue that automatic results are not useful - automatic results are perfectly acceptable. Virustotal offers the ability to provide a URL and is designed to be used in that way.

That said, 
* you and I are getting *different results* with URL - mine (from comment 1) states "The response exceeds the maximum file size allowed by the application. VirusTotal will only download files under 32MB in size." but yours does not, so the files are different. 
* I do reproduce your results with a *downloaded* file https://www.virustotal.com/en/file/cdcc724fdbcdc5c6dbe838368749f2f8c226534b29634bee0c2c8b2aaa0e8425/analysis/

> I scanned the file in your link
> http://releases.mozilla.org/pub/mozilla.org/thunderbird/releases/38.3.0/
> win32/en-US/Thunderbird%20Setup%2038.3.0.exe and the same virus is found :
> https://www.virustotal.com/fr/file/
> cdcc724fdbcdc5c6dbe838368749f2f8c226534b29634bee0c2c8b2aaa0e8425/analysis/

Your virustotal result states:
"Detection ratio: 	1 / 56"
"Probably harmless! There are strong indicators suggesting that this file is safe to use."
"Antivirus 	Result 	                        Update
 Rising 	PE:Malware.Techsnab!6.2585[F1] 	20151012"

So the findings of virustotal are, that the file is acceptable for use.

Comment 4

[Ludovic Hirlimann [:Usul]]

I'd be worried if more than one would find a virus. This is a false positive.

Comment 5

[David VANTYGHEM]

Yes, but we could be worried too if this was the first antivirus that discover a new virus. Viruses are implemented in the files that are the most used, like Thunderbird. Is it sure that people who compile Windows version of Thunderbird are working in a safe environment, like a fresh installed virtual Windows system, without none other unnecessary software installed ?