DistroWatch’s Jesse Smith is bringing some attention to an issue I have never encountered and had never heard of, and it has to do with antivirus software on Windows. It seems it’s not uncommon for antivirus software on Windows to mark Linux ISOs as malware or otherwise dangerous, and it seems people are reporting these findings to DistroWatch, for some reason. DistroWatch makes it clear they don’t host any of the ISOs, and that close to all of these warnings from antivirus software are false positives.
So why do multiple Windows virus scanners report that they find malware in Linux downloads? Putting aside the obvious conspiracy theories about anti-virus vendors not wanting to lose customers, what is probably happening is the scanners are detecting an archive file (the ISO) which contains executable code, and flagging it as suspicious. Some of the code is even able to change the disk layout, which is something that looks nasty from a security point of view. It’s entirely understandable that a malware scanner which sees an archive full of executable code that could change the way the system boots would flag it as dangerous.
↫ Jesse Smith at DistroWatch
I wonder how many people curious about Linux downloaded an ISO, only to delete is after their Windows antivirus marked it as dangerous. I can’t imagine the number to be particularly high – if you’re downloading a Linux ISO, you’re probably knowledgeable enough to figure out it’s a false positive – but apparently it’s a big enough issue that DistroWatch needs to inform its readers about it, which is absolutely wild to me.
This is nothing new. Common libraries and toolkits have been getting marked as malware or PUPs for a couple of decades now on the weak (and occasionally blatantly false) excuse that they were used by such malware or PUPs.
*nod*
See https://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/
I drop installers I create into VirusTotal and it’s pretty normal for between 1 and 6 of the more obscure virus scanners to consider them malware and have their heuristic detectors disagree on what they are.
Last I checked, the official WinRAR and NSIS installers tripped them, and, from the ssokolow/stuffit-test-files GitHub repository where I share archives from the copies of StuffIt I’ve collected, testfile.stuffit_deluxe_2009.win.install.exe showed 11 false positives out of 67 (I assume because they don’t know how to scan inside SitX archives and conclude they must be malware) and testfile.stuffit_deluxe_2010.win.install.exe also showed 11 false positives… I assume because they’ve decided that UPX file compression is indicative of malicious software.
This is about specifity.
You either under specify or over specify the virus detection (usually a bit of both). For those versed in machine learning algorithms: precision and recall.
Turn the know too high and everything is possible malware. Turn it down and you even let known worms pass through.
So they constantly micro adjust that detection surface.
Unfortunately fixing issues with “random” Linux ISOs would be very low on the priority list. As long as average user gets a good enough experience catching most bad stuff the monthly subscription checks keep coming.
The legitimate Linux user? They won’t be paying anyway.
(I know this is a bit harsh. But this would be the economic reality behind those designs)