DistroWatch’s Jesse Smith is bringing some attention to an issue I have never encountered and had never heard of, and it has to do with antivirus software on Windows. It seems it’s not uncommon for antivirus software on Windows to mark Linux ISOs as malware or otherwise dangerous, and it seems people are reporting these findings to DistroWatch, for some reason. DistroWatch makes it clear they don’t host any of the ISOs, and that close to all of these warnings from antivirus software are false positives.
So why do multiple Windows virus scanners report that they find malware in Linux downloads? Putting aside the obvious conspiracy theories about anti-virus vendors not wanting to lose customers, what is probably happening is the scanners are detecting an archive file (the ISO) which contains executable code, and flagging it as suspicious. Some of the code is even able to change the disk layout, which is something that looks nasty from a security point of view. It’s entirely understandable that a malware scanner which sees an archive full of executable code that could change the way the system boots would flag it as dangerous.
↫ Jesse Smith at DistroWatch
I wonder how many people curious about Linux downloaded an ISO, only to delete is after their Windows antivirus marked it as dangerous. I can’t imagine the number to be particularly high – if you’re downloading a Linux ISO, you’re probably knowledgeable enough to figure out it’s a false positive – but apparently it’s a big enough issue that DistroWatch needs to inform its readers about it, which is absolutely wild to me.
This is nothing new. Common libraries and toolkits have been getting marked as malware or PUPs for a couple of decades now on the weak (and occasionally blatantly false) excuse that they were used by such malware or PUPs.
*nod*
See https://blog.nirsoft.net/2009/05/17/antivirus-companies-cause-a-big-headache-to-small-developers/
Enturbulated,
+1
It’s one of my gripes with AV suites that flag everything the same way while not properly identifying their justification. It’s really annoying because you don’t know if the AV tool properly identified an actual virus versus a legitimate tool. These are totally different threats and must be handled differently to avoid confusion. There are much better ways to provide notifications that the tools are running on the system, without conflating the tools with malware.
Unfortunately AV providers that fail to distinguish between viruses and legitimate admin tools leads to a serious security problem wherein users will get trained to ignore the AV due to it’s false positives.
Official websites may tell users to ignore the AV warnings, users and employees may become trained to ignore the AV warnings. These are bad practices, but they come about because of the false positives. One day when it’s not a false positive, users will reflexively override the AV because of past experience. It’s the story of “the boy who cried wolf”.
Alfman,
Isn’t the Windows Defender Log precisely what you are looking for?
https://www.nirsoft.net/utils/windows_defender_log_viewer.html
sukru,
I use windows much less regularly than I used to though so honestly I’m not really “looking” for anything, but it looks like a nice utility. I really like that it has a network feature as opposed to having to install & run the utility everywhere.
I couldn’t find anything about automating it to pop up alerts. I know enterprise AV software already does this, but I’m not aware if any personal AV support full network monitoring.
Alfman,
Yes, Windows + Enterprise setups usually mean software companies turning into vultures.
And hardware, too:
“Have a nice nvidia card here. But… we can’t allow you to install the drivers on this Server edition. Please buy the $10,000 card which is supported on your system”
(Hint, please do not edit nv_display.inf and similar files. It might inadvertently load drivers on unsupported operating systems, and you would not want that)
I drop installers I create into VirusTotal and it’s pretty normal for between 1 and 6 of the more obscure virus scanners to consider them malware and have their heuristic detectors disagree on what they are.
Last I checked, the official WinRAR and NSIS installers tripped them, and, from the ssokolow/stuffit-test-files GitHub repository where I share archives from the copies of StuffIt I’ve collected, testfile.stuffit_deluxe_2009.win.install.exe showed 11 false positives out of 67 (I assume because they don’t know how to scan inside SitX archives and conclude they must be malware) and testfile.stuffit_deluxe_2010.win.install.exe also showed 11 false positives… I assume because they’ve decided that UPX file compression is indicative of malicious software.
This is about specifity.
You either under specify or over specify the virus detection (usually a bit of both). For those versed in machine learning algorithms: precision and recall.
Turn the know too high and everything is possible malware. Turn it down and you even let known worms pass through.
So they constantly micro adjust that detection surface.
Unfortunately fixing issues with “random” Linux ISOs would be very low on the priority list. As long as average user gets a good enough experience catching most bad stuff the monthly subscription checks keep coming.
The legitimate Linux user? They won’t be paying anyway.
(I know this is a bit harsh. But this would be the economic reality behind those designs)
As much as I don’t like it, this is (probably mostly) correct behavior. Malware detectors should not make inferences about what a user intended to do when they download a file. If it was downloaded off the wild internet and contains executable code it ought to be flagged.
What really matters is how software guides users. A statement that is helpful to me (“this is an archive containing executable code that look like it could reformat your hard disk”) is probably not helpful to a user who e.g. does not need to know what a hard disk is in order to do their job. So a message like “clicking on this thing you just downloaded might be a REALLY BAD IDEA” may be as good as it gets.
Brainworm,
Surely it depends what it’s flagged as. It’s less of an issue if something gets flagged as what it is. Flag a linux distro as a linux distro, fine…that’s what it is. But it’s flagging linux ISOs as a virus or malware when that’s factually wrong is extremely bad for security because it trains users to ignore the AV’s over false positives. One day they could download a linux ISO that actually contains a real virus and it will be ignored because the AV was guilty of false positives decreasing the legitimacy of AV security alerts.
Besides false positives, another problem has to do with inconsistent objectivity in threat assessments. For example, an AV might give powershell binaries a pass, but flag another shell as malware. Ironically if anything powershell is at a higher risk of being used by malware authors because it’s more common. Alas, there seems to be a double standard for the big players versus the little guys. Ssokolow’s link at the top is relevant here.