John Sellers wrote on 16 September 2008 10:15:
> (I am VERY tired right now so any I typed here might have typos.)
> Today I ran a scan with Kaspersky Internet Security 2009, and it
> reported that a couple of files in the install\cygwin directories were
> infected by Net_Worm.win32.sassor.be.
It reported wrong.
> My system is WindowsXP Media edition
>
> These were:
>
>
>
C:\install\cygwin\package\http%3a%2f%2fmirrors.kernel.org%2fsourceware%2fcygwi
n\release\coreutils\coreutils-6.7-1.tar.bz2
>
C:\install\cygwin\package\http%3a%2f%2fmirrors.kernel.org%2fsourceware%2fcygwi
n\release\coreutils\coreutils-6.7-2.tar.bz2
>
>
> and more specifically:
>
> coreutils-6.7-2//user/bin/gkill.exe
>
> I know these are old releases so I am assuming everything is OK.
Given that those files are old, and have been around your drive for some
time, and suddenly start detecting, you can infer one of two things:
- they're the same as they always have been and it's the AV signature that has
changed.
- they've changed and are now tripping an existing (or perhaps new) signature.
Given that sasser is a worm that transfers itself in whole from one PC to
another, and not a virus that infects or modifies existing files to attach
itself (and in particular not files way down in a compressed archive), there
is zero chance that these files have become sasser-infected.
Therefore the signatures have changed and this is a false positive.
> I
> deleted these to tar files and I assume that won't hurt my
> installation. right?
Setup.exe will offer to redownload them if you ever want to reinstall, I
think.
Still, you'd be doing all the other Cygwin+Kapersky users a favour if you
reported the false positive. Kapersky might update their signatures and save
them the trouble you've been through.
cheers,
DaveK
--
Can't think of a witty .sigline today....
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
