Well known Linux source code from official server marked as malware.
Categories
(Toolkit :: Safe Browsing, defect, P3)
Tracking
()
People
(Reporter: andremnz1, Unassigned)
References
()
Details
Attachments
(2 files)
fp.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Steps to reproduce:
Visit: https://ftp.gnome.org/pub/GNOME/sources/gedit/
Download any of the reasonably new source code archive files and Firefox will say "This file contains a virus or malware."
For example: https://ftp.gnome.org/pub/GNOME/sources/gedit/3.37/gedit-3.37.3.tar.xz
Actual results:
As above.
This is Linux source code from a well respected company from its official server. For a simple text editor.
VirusTotal says each the five archives I uploaded have a 0/80 or 1/80 detection rate. They are all detected as malware by Firefox.
If this was some random .exe that was actually safe it wouldn't bother me but how on earth does harmless Linux source code for a text editor from a well respected company get marked as malware? Lots of there source packages from what I can tell.
Expected results:
Downloaded normally.
It's a well known archive format ".tar.gz" any anti malware program should see it contains no executables etc. It one of the weirdest false positives I've seen.
|
||
Updated•4 years ago
|
|
||
Comment 2•4 years ago
|
||
I can reproduce this issue in Chrome. Safe Browsing service thinks this is a dangerous file.
Since this can be reproduced with different .tar.gz on the site, I guess one of the file in the archive is considered dangerous by Safe Browsing.
But there are too many, so I didn't try it.
The best thing we can do here is reporting this false-positvie to Google.
This is the files/folders of one of the archives that are detected. It would be good if we could know what file is being detected as it is a particularly unusual false positive.
The exact same file (same sha256 sum) is seen as clean from another link on the same site. Both are hosted elsewhere.
Description
•